CVE-2026-47193 | THREATINT

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.

PUBLISHED Reserved 2026-05-18 | Published 2026-06-26 | Updated 2026-06-26 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-862: Missing Authorization

Product status

< 17.3.3

affected

>= 17.4.0, < 17.4.1

affected

References

github.com/...roject/security/advisories/GHSA-f2rx-x2qj-2hgj exploit

github.com/...roject/security/advisories/GHSA-f2rx-x2qj-2hgj

cve.org (CVE-2026-47193)

nvd.nist.gov (CVE-2026-47193)

Download JSON