Compliance Impact

The vulnerability in OpenProject allows unauthorized disclosure of sensitive information such as work package IDs, confidential titles, sharing relationships, and role assignments to users who should not have access to this data. This information disclosure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and confidential information.

Since the vulnerability exposes confidential project details without proper authorization checks at the individual work package level, it increases the risk of unauthorized data access. This undermines the principles of data minimization and access control mandated by these regulations.

Therefore, organizations using affected versions of OpenProject prior to 17.3.2 and 17.4.0 may face compliance challenges until the vulnerability is remediated.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-44735 is an information disclosure vulnerability in OpenProject, a web-based project management software. The issue occurs in versions prior to 17.3.2 and 17.4.0 where the GET /api/v3/shares endpoint returns share details for all work packages in a project to any user with the view_shared_work_packages permission.

The problem is that the authorization check only verifies permissions at the project level and does not confirm if the user can view each individual shared work package. As a result, a regular project member can access sensitive information such as work package IDs, subjects (including confidential titles), sharing relationships, and role assignments.

The root cause is a missing visibility filter in the authorization logic, which was fixed by adding work package visibility filtering.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive project information. Regular project members with the view_shared_work_packages permission can discover confidential work package details such as IDs, titles, who has shared access, and assigned roles.

Although it does not affect data integrity or availability, the confidentiality impact is high, potentially exposing sensitive or confidential project data to unauthorized users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the OpenProject instance is running a vulnerable version (prior to 17.3.2 and 17.4.0) and by testing the behavior of the GET /api/v3/shares endpoint.

A practical detection method is to perform an API request to the /api/v3/shares endpoint as a user with the view_shared_work_packages permission and observe if share details for all work packages in a project are returned, including those the user should not have access to.

Example command using curl to test the endpoint (replace placeholders accordingly):

• curl -H "Authorization: Bearer <user_token>" https://<openproject_url>/api/v3/shares

If the response includes share details for work packages that the user should not be able to view individually, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.2 or 17.4.0 or later, where the vulnerability is fixed.

The fix involves adding work package visibility filtering to the authorization scope, preventing unauthorized users from viewing share details of work packages they do not have access to.

Until the upgrade can be applied, consider restricting the view_shared_work_packages permission to trusted users only, to limit exposure.

Useful 0 Not Useful 0