CVE-2026-44736
Deferred Deferred - Pending Action
Information Disclosure in OpenProject Prior to 17.4.0

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations β€” and the subject (title) of work packages they have no permission to view β€” by supplying an arbitrary work package ID in the involved, fromId, or toId filter. This bypasses the Relation.visible scope due to a flawed performance optimization in RelationQuery. This vulnerability is fixed in 17.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-44736
EUVD
EUVD-2026-39876
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.4.0 (inc)
openproject openproject to 17.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-836 The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44736 is a security vulnerability in OpenProject versions prior to 17.4.0 that affects the Relations API endpoint (/api/v3/relations). It allows any authenticated user to bypass visibility restrictions and access the subject titles of work packages they are not authorized to view by supplying arbitrary work package IDs in certain filters (involved, fromId, or toId).

This happens because of flawed filter logic in the RelationQuery class, which incorrectly skips enforcing the visibility scope when these filters are applied. Specifically, the filters only validate the visibility of the opposite side of a relation, not the user-supplied side, enabling unauthorized data exposure.

Attackers can exploit this by crafting API requests with these filters to enumerate and extract sensitive information such as project names or strategic plans in bulk.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information within OpenProject. Authenticated users without proper permissions can access the titles of work packages and relations they should not see.

Such unauthorized access can expose confidential project details, strategic plans, or other sensitive data, potentially leading to information leakage and competitive disadvantage.

The vulnerability has a medium severity rating (CVSS 6.5) primarily due to its high confidentiality impact, although it does not affect integrity or availability.

Detection Guidance

This vulnerability can be detected by monitoring API requests to the OpenProject server, specifically targeting the /api/v3/relations endpoint.

An authenticated user making GET requests with filters such as involved, fromId, or toId containing arbitrary work package IDs can indicate exploitation attempts.

To detect potential exploitation, you can search your web server or application logs for suspicious API calls that include these filters with unexpected or unauthorized IDs.

  • Example command to search logs for suspicious API calls (assuming logs are in access.log):
  • grep '/api/v3/relations' access.log | grep -E 'involved=|fromId=|toId='

Additionally, monitoring for unusual authenticated user activity querying relations they should not have access to can help identify exploitation.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.4.0 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, restrict access to the /api/v3/relations endpoint to only trusted users or roles that require it.

Additionally, monitor and audit API usage to detect and block suspicious requests exploiting the involved, fromId, or toId filters.

Implement network-level controls such as firewall rules or API gateways to limit access to the vulnerable endpoint.

Compliance Impact

This vulnerability allows authenticated users to bypass visibility restrictions and access sensitive information from work packages they are not authorized to view. Such unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

By exposing confidential project details and potentially personal data without proper authorization, the vulnerability increases the risk of data breaches and unauthorized data exposure, which are critical compliance concerns under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44736. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart