CVE-2026-22602 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting OpenProject, an open-source web-based project management software. The flaw exists in versions prior to 16.6.2, where a low-privileged authenticated user can access the full names of other users by exploiting the predictable sequential user ID assignment. By iterating through user IDs in URLs or via the OpenProject API, an attacker can systematically retrieve the full names of all users registered in the system. This information disclosure does not extend to more sensitive data such as passwords or personal identifiers beyond full names, nor does it allow modification or disruption of data or services. The vulnerability requires that the attacker be logged in with at least low-level privileges and involves user interaction to perform the enumeration. The issue was addressed and patched in OpenProject version 16.6.2, with the vendor recommending upgrades or manual patch application for those unable to update immediately. The CVSS v3.1 score of 3.5 reflects a low-severity rating due to limited confidentiality impact, no integrity or availability impact, and relatively straightforward exploitation given authentication and user interaction requirements. No known exploits have been reported in the wild, but the vulnerability could be leveraged for reconnaissance or social engineering purposes.

For European organizations, the primary impact of CVE-2026-22602 is the unauthorized disclosure of user full names within OpenProject instances running vulnerable versions. While full names alone may seem low risk, they can facilitate targeted social engineering, spear-phishing campaigns, or privacy violations under GDPR regulations. Organizations handling sensitive projects or personal data could face reputational damage or regulatory scrutiny if user information is exposed. The vulnerability does not allow access to more sensitive credentials or system control, so direct operational disruption or data integrity compromise is unlikely. However, the ease of automated enumeration via the API increases the risk of large-scale data harvesting. European entities using OpenProject for project management, especially in sectors like government, finance, or critical infrastructure, should consider this a privacy risk that requires timely remediation to maintain compliance and reduce attack surface.

The most effective mitigation is to upgrade OpenProject installations to version 16.6.2 or later, where the vulnerability is fully patched. For organizations unable to upgrade immediately, applying the vendor-provided manual patch is recommended to block unauthorized user enumeration. Additionally, restricting access to the OpenProject API and user enumeration endpoints to trusted IP ranges or VPNs can reduce exposure. Implementing strict role-based access controls to limit low-privileged user capabilities and monitoring API usage logs for unusual enumeration patterns can help detect exploitation attempts. Organizations should also educate users about phishing risks that could leverage disclosed user names. Finally, reviewing and minimizing the amount of user information exposed in the UI and API responses can reduce the impact of similar vulnerabilities.