CVE-2026-23721 Overview
CVE-2026-23721 is a Broken Access Control vulnerability affecting OpenProject, an open-source, web-based project management software. The vulnerability exists in the group membership visibility functionality, where a failed permission check allows users with the View Members permission in any project to enumerate all Groups and view which other users are part of those groups, regardless of whether they should have access to that information.
Critical Impact
Authenticated users can enumerate all group memberships across the entire OpenProject instance, potentially exposing organizational structure and user relationships.
Affected Products
- OpenProject versions prior to 17.0.1
- OpenProject versions prior to 16.6.5
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-23721 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-23721
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the application fails to perform an authorization check when a user attempts to access group membership information. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project where that specific group is also a member. However, due to improper permission validation, the system incorrectly grants access to group membership data across the entire instance.
The vulnerability allows any authenticated user with View Members permission in at least one project to access group membership information for all groups, even those associated with projects where the user has no permissions. This represents a horizontal privilege escalation scenario where users can access data belonging to organizational units or projects they are not authorized to view.
Root Cause
The root cause is a failed permission check in OpenProject's group membership visibility logic. The application does not properly scope the authorization check to verify that the requesting user has View Members permission specifically for projects where the target group has membership. Instead, having View Members permission in any single project grants visibility into all group memberships system-wide.
Attack Vector
An attacker with a valid OpenProject account and View Members permission in any project can exploit this vulnerability through the following attack flow:
- The attacker authenticates to the OpenProject instance with valid credentials
- The attacker has or obtains View Members permission in at least one project
- The attacker queries the group membership endpoint or navigates to group listings
- Due to the missing authorization check, the application returns all groups and their members
- The attacker can enumerate the complete organizational structure and user-group relationships
This attack is network-based and requires low privileges (authenticated user with basic permissions). No user interaction is required for exploitation.
Detection Methods for CVE-2026-23721
Indicators of Compromise
- Unusual API requests to group membership endpoints from users who should not have access to all groups
- Increased query volume against user and group enumeration endpoints
- Access logs showing group listing requests from accounts with limited project memberships
- Audit trails indicating bulk retrieval of group membership data
Detection Strategies
- Monitor API access patterns for group and membership endpoints, flagging requests that return data for groups outside the user's authorized projects
- Implement logging for all group membership queries and alert on anomalous access patterns
- Review access logs for users repeatedly querying group information across multiple groups they are not members of
- Configure Web Application Firewall (WAF) rules to detect enumeration attempts against user and group endpoints
Monitoring Recommendations
- Enable detailed audit logging for all group and membership-related operations in OpenProject
- Set up alerts for users accessing group membership data for an unusually high number of groups
- Correlate user project memberships with their group information access to identify unauthorized access attempts
- Monitor for automated scripting patterns that may indicate bulk enumeration of organizational data
How to Mitigate CVE-2026-23721
Immediate Actions Required
- Upgrade OpenProject to version 17.0.1 or 16.6.5 immediately to address this vulnerability
- Review access logs for potential prior exploitation of this vulnerability
- Audit current group membership configurations and assess the sensitivity of exposed user relationships
- Consider implementing network segmentation to limit access to the OpenProject instance while patching
Patch Information
The vulnerability has been fixed in OpenProject versions 17.0.1 and 16.6.5. Organizations should upgrade to one of these patched versions based on their current deployment. Detailed information about the fix is available in the GitHub Security Advisory.
Workarounds
- No known workarounds are available for this vulnerability
- Upgrading to the patched versions (17.0.1 or 16.6.5) is the only remediation option
- As a temporary measure, restrict network access to OpenProject to trusted users until patching is complete
- Consider auditing and minimizing the number of users with View Members permission as a defense-in-depth measure
# Upgrade OpenProject to patched version
# For Docker deployments:
docker pull openproject/community:17.0.1
docker-compose down && docker-compose up -d
# Verify the installed version after upgrade
docker exec -it openproject bin/rails runner "puts OpenProject::VERSION::STRING"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
