Disclosure of Historical Field Values in OpenProject by OPF
CVE-2026-47193

7.5HIGH

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-47193?

OpenProject, a web-based project management tool, has a vulnerability in the journal diff endpoint, which allows unauthorized access to historical field values that should remain hidden. This issue occurs due to a lack of proper enforcement of object and field visibility prior to versions 17.3.3 and 17.4.1. The vulnerability has been remediated in these versions, emphasizing the importance of keeping software updated to safeguard sensitive information.

Affected Version(s)

openproject < 17.3.3 < 17.3.3

openproject >= 17.4.0, < 17.4.1 < 17.4.0, 17.4.1

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-47193 Data

JSON

Opf

What is CVE-2026-47193?

Affected Version(s)

References

CVSS V3.1

Timeline