{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22605", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.533Z", "datePublished": "2026-01-10T01:07:10.412Z", "dateUpdated": "2026-01-12T19:15:27.143Z"}, "containers": {"cna": {"title": "OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j"}, {"name": "https://github.com/opf/openproject/releases/tag/v16.6.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/releases/tag/v16.6.3"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": "< 16.6.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:07:10.412Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3."}], "source": {"advisory": "GHSA-fq4m-pxvm-8x2j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T19:15:19.921386Z", "id": "CVE-2026-22605", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T19:15:27.143Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T19:15:19.921386Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T19:15:24.629Z"}}], "cna": {"title": "OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings", "source": {"advisory": "GHSA-fq4m-pxvm-8x2j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"status": "affected", "version": "< 16.6.3"}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j", "name": "https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opf/openproject/releases/tag/v16.6.3", "name": "https://github.com/opf/openproject/releases/tag/v16.6.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:07:10.412Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22605", "state": "PUBLISHED", "dateUpdated": "2026-01-12T19:15:27.143Z", "dateReserved": "2026-01-07T21:50:39.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T01:07:10.412Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2267B9E-E4A8-4C9D-9BEF-BE744BAEDF0E", "versionEndExcluding": "16.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3."}], "id": "CVE-2026-22605", "lastModified": "2026-01-14T22:27:55.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T02:15:49.487", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opf/openproject/releases/tag/v16.6.3"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}