HIGHCVE-2026-47193Published 2026-06-26Modified 2026-06-26CNA GitHub_M

CVE-2026-47193: OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

opf / openproject
< 17.3.3 · >= 17.4.0, < 17.4.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj

Metrics

Get notified