CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-44735

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.

⚡ Watch CVE-2026-44735

Get an email if CVE-2026-44735 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-44735

CVE.org record

Embed the live status

CVE-2026-44735 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-44735 status](https://www.csirts.com/badge/CVE-2026-44735)](https://www.csirts.com/cve/CVE-2026-44735)