CVE-2026-49355
Deferred Deferred - Pending Action
Private Work Package Data Exposure in OpenProject

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-49355
EUVD
EUVD-2026-39877
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.4.0 (exc)
openproject openproject 17.4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49355 is a vulnerability in OpenProject, an open-source web-based project management software. Before version 17.4.1, a specific API endpoint allowed unauthorized users to access private work package data linked to meetings. By sending a GET request to `/api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id`, an attacker could retrieve sensitive information from work packages belonging to private or inaccessible projects.

This issue is due to an authorization bypass that exposes sensitive information without proper access control.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of confidential project data. Attackers with low privileges and no need for user interaction can exploit this to access sensitive information from private projects, potentially compromising confidentiality.

The impact is limited to confidentiality, with no effect on data integrity or availability.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoint and checking if private work package data is disclosed without proper authorization.

  • Use a command like: curl -i -X GET "http://<openproject-server>/api/v3/meetings/<meeting_id>/agenda_items/<agenda_item_id>" -H "Authorization: Bearer <token>"

If the response contains private or sensitive work package data from a project that should be inaccessible, the system is vulnerable.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade OpenProject to version 17.4.1 or later, where the issue has been patched.

Until the upgrade can be performed, restrict access to the affected API endpoint to trusted users only, and monitor API usage for suspicious access patterns.

Compliance Impact

This vulnerability allows unauthorized disclosure of private work package data, which constitutes exposure of sensitive information. Such unauthorized data exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

Since the vulnerability involves leaking private data from inaccessible projects, organizations using affected versions of OpenProject may risk violating confidentiality requirements imposed by these standards until the issue is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49355. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart