CVE-2026-22602 Overview
CVE-2026-22602 is an Information Disclosure vulnerability in OpenProject, an open-source, web-based project management software. Prior to version 16.6.2, a low-privileged logged-in user can view the full names of other users by exploiting predictable, sequential user IDs. Since user IDs are assigned sequentially (e.g., 1 to 1000), an attacker can extract a complete list of all users' full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well.
Critical Impact
Low-privileged authenticated users can enumerate and harvest the full names of all users in the OpenProject instance, potentially enabling targeted phishing attacks or social engineering campaigns against organizational members.
Affected Products
- OpenProject versions prior to 16.6.2
Discovery Timeline
- 2026-01-10 - CVE CVE-2026-22602 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22602
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue lies in insufficient access control on user profile endpoints. When authenticated users access user profile URLs or API endpoints with sequential user IDs, the system returns full user names regardless of whether the requesting user should have visibility into that information.
The vulnerability enables mass enumeration of user identities within an OpenProject instance. While the information exposed is limited to full names rather than credentials or other highly sensitive data, this information leakage can facilitate social engineering attacks, organizational reconnaissance, or targeted phishing campaigns against specific individuals within an organization.
Root Cause
The root cause is an Insecure Direct Object Reference (IDOR) combined with insufficient authorization checks on user profile data. The application uses predictable, sequential integer IDs for user accounts and fails to validate whether the requesting user has appropriate permissions to view another user's full name. This allows any authenticated user to access profile information for arbitrary user IDs by simply modifying the ID parameter in requests.
Attack Vector
The attack requires network access and a low-privileged authenticated account. An attacker can exploit this vulnerability through either the web interface or the OpenProject API:
- The attacker authenticates to OpenProject with any valid low-privileged account
- The attacker identifies the URL pattern for user profile endpoints
- By iterating through sequential user IDs (e.g., /users/1, /users/2, etc.), the attacker retrieves full names for all users
- Alternatively, the attacker can automate this process via the OpenProject API for faster enumeration
The vulnerability requires user interaction in the sense that the attacker must be authenticated, but no action is required from the victim users whose information is being exposed.
Detection Methods for CVE-2026-22602
Indicators of Compromise
- Unusual volume of requests to user profile endpoints from a single authenticated session
- Sequential access patterns to /users/{id} or equivalent API endpoints
- Automated scripting behavior targeting user enumeration endpoints
- Unexpected exports or bulk queries against user data
Detection Strategies
- Monitor web server logs for patterns indicating sequential user ID enumeration
- Implement rate limiting alerts on user profile endpoint access
- Configure application-level logging to track unusual access patterns to user data
- Deploy web application firewalls (WAF) with rules to detect enumeration attacks
Monitoring Recommendations
- Enable detailed access logging for user profile and API endpoints
- Set up alerts for high-frequency requests to user-related endpoints from single sessions
- Review authentication logs for accounts exhibiting unusual data access patterns
- Implement anomaly detection for API usage that deviates from normal user behavior
How to Mitigate CVE-2026-22602
Immediate Actions Required
- Upgrade OpenProject to version 16.6.2 or later immediately
- Review access logs for evidence of prior exploitation
- Audit user permissions and access control configurations
- Consider implementing additional rate limiting on user profile endpoints
Patch Information
OpenProject has released version 16.6.2 which addresses this vulnerability. The fix can be found in the GitHub Commit Update. Additional details are available in the GitHub Pull Request and the GitHub Security Advisory GHSA-7fvx-9h6h-g82j. The patched version is available at GitHub Release v16.6.2.
Workarounds
- Apply the patch manually if immediate upgrade is not possible (reference the security advisory for patch details)
- Implement network-level access controls to restrict OpenProject access to trusted IP ranges
- Deploy a web application firewall (WAF) to detect and block enumeration attempts
- Temporarily restrict API access until the patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
