CVE-2026-47193
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A vulnerability in OpenProject before versions 17.3.3 and 17.4.1 allows the journal diff endpoint to disclose hidden historical field values without enforcing object and field visibility.
Risk Assessment
An attacker can access confidential data that should be hidden, compromising information confidentiality in the organization.
Recommendation
Immediately update OpenProject to version 17.3.3 or 17.4.1, where this vulnerability is fixed.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.

