CVE-2026-22602 is an information disclosure vulnerability classified under CWE-200 affecting OpenProject, an open-source web-based project management tool. In versions prior to 16.6.2, a low-privileged authenticated user can access the full names of other users by exploiting the predictable sequential assignment of user IDs. Since user IDs increment sequentially (e.g., 1 to 1000), an attacker can iterate through user profile URLs or use the OpenProject API to automate the retrieval of all users’ full names. This exposure occurs because the system does not sufficiently restrict access to user identity information based on privilege levels. The vulnerability requires the attacker to be logged in with at least low privileges and some user interaction, but no elevated permissions are necessary. The vulnerability does not allow access to sensitive credentials or other personal data beyond full names, nor does it permit modification or disruption of the system. The issue has been addressed in OpenProject version 16.6.2, which restricts access to user information appropriately. Organizations unable to upgrade can apply the patch manually. There are no known exploits in the wild at this time, and the CVSS v3.1 base score is 3.5, reflecting low severity due to limited impact and exploitation complexity.

For European organizations, the primary impact of CVE-2026-22602 is the unauthorized disclosure of user full names within OpenProject environments. While full names alone may seem low risk, they can facilitate social engineering, spear-phishing, or targeted reconnaissance by exposing organizational personnel details. This is particularly relevant for organizations managing sensitive or confidential projects where user identity exposure could indirectly lead to further attacks. The vulnerability does not compromise system integrity or availability, so operational disruption is unlikely. However, in sectors with strict privacy regulations such as GDPR, even limited personal data exposure can have compliance implications and reputational consequences. Organizations using OpenProject for project management should assess the sensitivity of their user data and the potential for misuse of exposed information. The risk is mitigated by the requirement for authenticated access, limiting exposure to insiders or compromised accounts.

The primary mitigation is to upgrade OpenProject installations to version 16.6.2 or later, where the vulnerability is patched. For organizations unable to upgrade immediately, applying the official patch manually is recommended to restrict access to user full names. Additionally, organizations should enforce strong authentication controls to reduce the risk of unauthorized access by low-privileged users. Monitoring and logging API usage and user profile access patterns can help detect automated enumeration attempts. Limiting user permissions to the minimum necessary and reviewing user roles regularly will reduce the attack surface. Educating users about social engineering risks stemming from exposed user information can further mitigate downstream impacts. Finally, organizations should review their privacy policies and ensure compliance with data protection regulations regarding the exposure of personal data.