CVE-2026-23721
📋 TL;DR
OpenProject versions before 17.0.1 and 16.6.5 have an information disclosure vulnerability where users with View Members permission in any project can enumerate all groups and see their members. This exposes group membership information that should be restricted. All OpenProject instances using affected versions with group functionality are impacted.
💻 Affected Systems
- OpenProject
📦 What is this software?
Openproject by Openproject
Openproject by Openproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers with basic user access could map organizational structure, identify privileged users, and gather intelligence for social engineering or targeted attacks.
Likely Case
Internal users or compromised accounts discover group memberships they shouldn't see, potentially learning about project teams, reporting structures, or sensitive assignments.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires authenticated user access with View Members permission in at least one project. The vulnerability is in the permission check logic, making exploitation straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.1 or 16.6.5
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h
Restart Required: Yes
Instructions:
1. Backup your OpenProject instance and database. 2. Update to OpenProject 17.0.1 or 16.6.5 using your deployment method (Docker, package manager, manual). 3. Restart the OpenProject service. 4. Verify the update completed successfully.
🧯 If You Can't Patch
- Review and minimize users with View Members permission to essential personnel only.
- Implement network segmentation to restrict access to OpenProject from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check OpenProject version via admin interface or by running 'openproject version' command. If version is below 17.0.1 (for 17.x) or below 16.6.5 (for 16.x), you are vulnerable.Check Version:
openproject versionVerify Fix Applied:
After updating, verify version is 17.0.1 or higher, or 16.6.5 or higher. Test with a user having View Members permission in one project to confirm they cannot enumerate groups they shouldn't access.📡 Detection & Monitoring
Log Indicators:
- Unusual group enumeration patterns in application logs
- Multiple requests to group membership endpoints from single users
Network Indicators:
- Increased requests to /api/v3/groups or similar group-related endpoints
SIEM Query:
source="openproject" AND (uri_path="/api/v3/groups" OR uri_path="/groups") AND user_has_permission="View Members"