CVE Catalog

CVE-2026-47193

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in OpenProject before versions 17.3.3 and 17.4.1 allows the journal diff endpoint to disclose hidden historical field values without enforcing object and field visibility.

Risk Assessment

An attacker can access confidential data that should be hidden, compromising information confidentiality in the organization.

Recommendation

Immediately update OpenProject to version 17.3.3 or 17.4.1, where this vulnerability is fixed.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS