CVE Catalog

CVE-2026-44735

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

In OpenProject prior to versions 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for all work packages in a project to any user with the view_shared_work_packages permission. Authorization is performed only at the project level, without verifying that the requesting user can actually view each individual shared work package.

Risk Assessment

The organization is at risk of leaking confidential information, such as work package IDs and subjects (including confidential titles), as well as the list of users with access and their roles (Editor, Commenter, Viewer).

Recommendation

Update OpenProject immediately to version 17.3.2 or 17.4.0, which contain the fix for this vulnerability.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS