Home > Vulnerability Database > CVE-2026-22602

Mend.io Vulnerability Database

CVE-2026-22602

Good to know:

Date: January 9, 2026

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.

Severity Score

3.5

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22602

Url: https://github.com/opf/openproject/releases/tag/v16.6.2

Url: https://github.com/opf/openproject/pull/21281

Url: https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j

Url: https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37

Url: https://www.mend.io/vulnerability-database/CVE-2026-22602

Severity Score

3.5

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Top Fix

Upgrade Version

Upgrade to version https://github.com/opf/openproject.git - v16.6.2

Learn More

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22602

Good to know:

Date: January 9, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?