Compliance Impact

This vulnerability allows unauthorized disclosure of hidden historical text values, including sensitive data such as hidden work package descriptions, restricted journal contents, project custom fields, and cancelled meeting notes.

Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive and personal information.

Because the vulnerability bypasses object, journal, and field visibility checks, it undermines the confidentiality and access control measures that are essential for compliance with these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-47193 is a vulnerability in OpenProject, an open-source web-based project management software. The issue exists in the journal diff endpoint (GET /journals/:journal_id/diff/:field), which bypasses object, journal, and field visibility checks.

This means that unauthorized users, including low-privileged or unauthenticated users in public-project configurations, can access hidden historical text values that should normally be restricted.

The vulnerability arises because the endpoint's authorization logic relies on broad permissions like view_work_packages or view_project instead of enforcing granular visibility checks for journals, objects, and fields.

As a result, sensitive data such as hidden work package descriptions, restricted journal contents, project custom fields, and cancelled meeting notes can be exposed.

This vulnerability affects OpenProject versions 17.3.2 and earlier, as well as 17.4.0, and was fixed in versions 17.3.3 and 17.4.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive historical information stored within OpenProject.

• Exposure of hidden work package descriptions.
• Access to restricted journal contents.
• Disclosure of project custom fields that may contain confidential data.
• Revealing cancelled meeting notes that were intended to be hidden.

Such exposure can compromise project confidentiality and potentially leak sensitive organizational information to unauthorized users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the journal diff endpoint (GET /journals/:journal_id/diff/:field) in OpenProject versions 17.3.2 and earlier, and 17.4.0. Detection can focus on monitoring access to this specific endpoint, especially requests from low-privileged or unauthenticated users.

You can detect potential exploitation attempts by checking web server or application logs for unusual or unauthorized GET requests to paths matching /journals/*/diff/*.

Example commands to search logs for such requests include:

• Using grep on Apache or Nginx logs: grep -E 'GET /journals/.*/diff/.*' /var/log/nginx/access.log
• Using curl to test the endpoint (replace with actual journal_id and field): curl -i -X GET 'https://your-openproject-instance/journals/123/diff/field_name'

If you observe unauthorized or unexpected access to this endpoint, it may indicate attempts to exploit the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenProject to version 17.3.3 or 17.4.1 or later, where the vulnerability is fixed.

Until you can upgrade, consider restricting access to the journal diff endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthorized or unauthenticated requests to /journals/:journal_id/diff/:field.

Additionally, review project visibility and user permissions to minimize exposure, especially in public-project configurations.

Useful 0 Not Useful 0