CVE-2026-22605 is an improper access control vulnerability classified under CWE-284, affecting OpenProject, an open-source web-based project management software widely used for collaborative project tracking and documentation. The vulnerability exists in versions prior to 16.6.3, where users granted the 'View Meetings' permission on any project could access meeting details of projects they are not authorized to view. This occurs because the access control mechanism fails to properly restrict meeting data visibility based on project membership or permissions beyond the 'View Meetings' scope. The flaw allows unauthorized disclosure of potentially sensitive meeting information, including agendas, minutes, participant lists, and other project-related discussions. Exploitation requires the attacker to be an authenticated user with at least the 'View Meetings' permission on some project, but no additional user interaction is necessary. The vulnerability does not impact data integrity or system availability. The issue was publicly disclosed and patched in OpenProject version 16.6.3, which corrects the access control checks to enforce proper project-level restrictions on meeting data access. No known exploits are currently reported in the wild, but the vulnerability presents a risk for insider threats or compromised accounts with limited permissions.

For European organizations, this vulnerability primarily threatens the confidentiality of project meeting information, which may include sensitive strategic, financial, or operational data. Unauthorized access to such information can lead to competitive disadvantages, leakage of confidential business plans, or exposure of personal data of meeting participants, potentially violating GDPR requirements. While the vulnerability does not affect system integrity or availability, the unauthorized disclosure risk can undermine trust in project management processes and compliance postures. Organizations in sectors with high confidentiality requirements, such as finance, government, and critical infrastructure, are particularly at risk. The ease of exploitation by any authenticated user with minimal privileges increases the attack surface, especially in large organizations with many users and complex permission structures. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future abuse.

The primary mitigation is to upgrade all OpenProject instances to version 16.6.3 or later, where the vulnerability is patched. Organizations should conduct an audit of user permissions, specifically reviewing who has the 'View Meetings' permission, and restrict it to only those users who require it for their role. Implementing the principle of least privilege reduces the risk of unauthorized data access. Additionally, monitoring and logging access to meeting data can help detect anomalous access patterns indicative of exploitation attempts. For environments where immediate upgrade is not feasible, consider applying compensating controls such as network segmentation, enhanced authentication mechanisms, or temporarily disabling the 'View Meetings' permission for non-essential users. Regularly review and update access control policies to ensure they align with organizational security requirements and compliance obligations.