CVE-2026-22605 is an improper access control vulnerability classified under CWE-284, discovered in the open-source project management software OpenProject. The vulnerability affects all versions prior to 16.6.3. It arises because users granted the 'View Meetings' permission on any project can access meeting details from projects they are not authorized to view. This indicates a failure in enforcing project-level access restrictions on meeting data, allowing unauthorized information disclosure. The vulnerability does not require user interaction but does require the attacker to be authenticated with at least the 'View Meetings' permission on some project. The CVSS v3.1 base score is 4.3 (medium), reflecting low complexity of attack (AC:L), network vector (AV:N), privileges required (PR:L), no user interaction (UI:N), and limited impact on confidentiality only (C:L), with no impact on integrity or availability. No known exploits are currently reported in the wild. The issue was addressed in OpenProject version 16.6.3 by correcting the access control checks to ensure meeting details are only accessible to users with appropriate project permissions. This vulnerability could lead to unauthorized disclosure of sensitive meeting information, potentially exposing confidential project discussions or plans.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive project meeting information, which could include strategic plans, proprietary data, or personal information. Such exposure could lead to competitive disadvantage, reputational damage, or regulatory compliance issues, especially under GDPR if personal data is involved. Since OpenProject is used in various sectors including government, engineering, and IT, the impact could be significant where sensitive projects are managed. The vulnerability does not affect system integrity or availability, so operational disruption is unlikely. However, the confidentiality breach could facilitate further targeted attacks or insider threats. Organizations relying on OpenProject versions prior to 16.6.3 should consider this a moderate risk and prioritize remediation to prevent data leakage.

The primary mitigation is to upgrade OpenProject installations to version 16.6.3 or later, where the access control flaw has been fixed. Organizations should audit current user permissions, especially the 'View Meetings' permission, to ensure it is granted only to trusted users who require it. Implement role-based access control (RBAC) policies to minimize excessive permissions. Additionally, monitor access logs for unusual meeting data access patterns that could indicate exploitation attempts. If immediate upgrade is not feasible, consider restricting network access to the OpenProject instance or isolating sensitive projects. Regularly review and update security policies related to project management tools. Finally, educate users about the importance of safeguarding meeting information and reporting suspicious activity.