CVE-2026-44731
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
In OpenProject prior to versions 17.3.2 and 17.4.0, the meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name. This allows an attacker to enumerate all existing user accounts by probing user IDs and observing differences in server responses.
Risk Assessment
The risk involves the ability to perform user enumeration attacks, which can lead to information disclosure about the organization's structure and facilitate further social engineering or brute-force attacks on accounts.
Recommendation
Immediately update OpenProject to version 17.3.2 or 17.4.0, which includes a fix that prevents the leakage of user information.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.

