User Information Exposure in OpenProject by Opf
CVE-2026-22602

3.5LOW

Key Information:

Vendor

Opf

Status
Openproject
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22602?

OpenProject, a leading open-source project management solution, has a vulnerability that allows low-privileged logged-in users to obtain the full names of other users through sequentially predictable user IDs. This flaw enables attackers to generate a complete list of usernames by iterating through user-specific URLs or leveraging the OpenProject API for automated access. The vulnerability has been addressed in version 16.6.2, with a manual patch available for those unable to upgrade.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openproject < 16.6.2

References

https://github.com/opf/openproject/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/opf/openproject/pull/21281
x_refsource_MISC
https://github.com/opf/openproject/commit/fb39a779f521d9b...
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.