CVE-2026-44735 opf CVE debrief

Who should care

Users of OpenProject, specifically those with administrative privileges or those responsible for security within projects that utilize OpenProject for project management, should be aware of this vulnerability. Given the medium severity and the potential for information disclosure, it's crucial for these users to assess their exposure and apply the necessary patches.

Technical summary

The vulnerability in OpenProject's GET /api/v3/shares endpoint allows unauthorized disclosure of work package details to users with the view_shared_work_packages permission. This includes work package IDs, subjects, and role levels without proper authorization checks at the individual work package level. The CVSS score for this vulnerability is 6.5, classified as MEDIUM severity. The issue is addressed in OpenProject versions 17.3.2 and 17.4.0.

Defensive priority

Applying patches to update OpenProject to version 17.3.2 or 17.4.0 is of high priority to mitigate the risk of information disclosure. Additionally, reviewing project member permissions and ensuring that the principle of least privilege is enforced can help reduce the potential impact.

Recommended defensive actions

• Update OpenProject to version 17.3.2 or 17.4.0 to patch the vulnerability.
• Review and adjust project member permissions to ensure the principle of least privilege.
• Monitor project activity for any unauthorized access attempts.
• Consider implementing additional logging and monitoring to detect potential exploitation attempts.
• Inform project members about the vulnerability and the importance of applying patches.

Evidence notes

The CVE-2026-44735 entry and details were sourced from the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) list. The vulnerability was disclosed by the OpenProject team through their security advisory process.

Official resources