Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable history endpoint with low complexity; a journal/diff view normally needs an authenticated session, so PR:L; pure confidentiality disclosure means C:H, I:N, A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.
AnalysisAI
Information disclosure in OpenProject before 17.3.3 and 17.4.1 lets remote attackers read hidden historical field values through the journal diff endpoint, which fails to enforce object- and field-level visibility checks. The flaw (CWE-200) carries a CVSS 7.5 driven entirely by high confidentiality impact, exposing prior values of work-package fields that should be restricted. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reaching the journal diff (work-package change-history) endpoint and requesting the diff for an object or field the requester is not authorized to view; the bug is that the endpoint does not re-enforce object and field visibility, so restricted historical values are returned. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5) models a network-reachable, low-complexity, no-interaction, unauthenticated read with high confidentiality and no integrity or availability impact, which is internally consistent for a pure data-disclosure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to an OpenProject instance requests the journal/history diff for a work package whose fields or related objects they are not authorized to see. Because the diff endpoint omits the visibility checks, the response returns the hidden historical values - for example previously redacted custom-field contents or restricted descriptions - disclosing data the attacker could not view through the normal UI. … |
| Remediation | Vendor-released patch: upgrade to OpenProject 17.3.3 (for 17.3.x deployments) or 17.4.1 (for 17.4.x deployments) per advisory GHSA-f2rx-x2qj-2hgj (https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenProject instances running vulnerable versions (before 17.3.3 in the 17.3 branch and before 17.4.1 in the 17.4 branch); assess data sensitivity of affected work-package repositories. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allA SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi
OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39872