CVE-2026-22602 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other…
Low CVSS: 3.5

CVE-2026-22602

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Vendor
Openproject
Product
Openproject
CWE
CWE-200
Yayın Tarihi
2026-01-10 02:15:49
Güncelleme
2026-01-14 22:26:18
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-200 Openproject LOW Openproject 2026

Referanslar

https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37 https://github.com/opf/openproject/pull/21281 https://github.com/opf/openproject/releases/tag/v16.6.2 https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j