CVE-2026-44731
Deferred Deferred - Pending Action
Information Disclosure in OpenProject Meetings Filter

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-44731
EUVD
EUVD-2026-39860
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.4.0 (exc)
openproject openproject to 17.3.2 (exc)
openproject openproject 17.3.2
openproject openproject 17.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44731 is a vulnerability in OpenProject, an open-source web-based project management software. The issue exists in the meetings filter feature prior to versions 17.3.2 and 17.4.0. Specifically, the 'invited_user_id' parameter in a GET request can leak information about whether a user ID corresponds to a valid account and also disclose the full name of that user.

An attacker can exploit this vulnerability by sending requests with different user IDs and observing the server's responses. This allows the attacker to enumerate all existing user accounts on the system.

Impact Analysis

This vulnerability allows an attacker to discover valid user IDs and obtain the full names of users in the OpenProject system. This user enumeration can lead to privacy breaches and potentially facilitate further targeted attacks such as phishing or social engineering.

The vulnerability has a moderate severity with a CVSS score of 4.3, requires low privileges, and does not need user interaction, making it relatively easy to exploit.

Detection Guidance

This vulnerability can be detected by sending GET requests to the OpenProject meetings filter endpoint with different user IDs in the "invited_user_id" parameter and observing the server responses.

Specifically, you can probe the endpoint /projects/[projectName]/meetings with varying user IDs to see if the response discloses whether the user ID corresponds to a valid account and reveals the user's full name.

A sample command using curl might be:

  • curl -i "https://[your-openproject-domain]/projects/[projectName]/meetings?invited_user_id=[userID]"

By iterating over different userID values and comparing the responses, an attacker or tester can enumerate valid user accounts.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.2 or 17.4.0, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the meetings filter feature or the affected endpoint to trusted users only, to reduce the risk of user enumeration.

Compliance Impact

The vulnerability allows an attacker to enumerate all existing user accounts by probing user IDs and observing server responses, which discloses whether a user ID is valid and reveals the user's full name.

This leakage of user identity information could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal identifiable information (PII) and preventing unauthorized disclosure of user data.

However, the provided information does not explicitly state the compliance impact or any regulatory assessment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44731. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart