Home > Vulnerability Database > CVE-2026-23721

Mend.io Vulnerability Database

CVE-2026-23721

Good to know:

Date: January 19, 2026

OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.

Severity Score

4.3

Related Resources (3)

Url: https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23721

Url: https://www.mend.io/vulnerability-database/CVE-2026-23721

Severity Score

4.3

Weakness Type (CWE)

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version https://github.com/opf/openproject.git - v16.6.5;https://github.com/opf/openproject.git - v17.0.1

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23721

Good to know:

Date: January 19, 2026

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?