CVE-2026-23721 is a vulnerability in OpenProject, an open-source web-based project management tool, identified as a missing authorization check (CWE-862). The flaw exists in versions prior to 16.6.5 and in 17.0.0, where the software incorrectly allows users who have the 'View Members' permission in any project to enumerate all groups and view their members, regardless of whether those groups are associated with projects where the user has permission. This occurs because the permission check intended to restrict group member visibility fails to properly enforce access boundaries, enabling unauthorized information disclosure. The vulnerability does not allow modification or deletion of data, nor does it affect system availability, but it leaks potentially sensitive membership information that could be leveraged for social engineering or further attacks. The vulnerability requires the user to be authenticated and does not require any user interaction beyond normal use. The issue was addressed and fixed in OpenProject versions 16.6.5 and 17.0.1, with no known workarounds available. No public exploits have been reported to date. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the network attack vector, low complexity, required privileges, and limited impact on confidentiality only.

For European organizations using vulnerable OpenProject versions, this vulnerability can lead to unauthorized disclosure of group membership information. Such information leakage can facilitate targeted social engineering, phishing campaigns, or reconnaissance by malicious actors aiming to escalate privileges or compromise accounts. While the vulnerability does not directly affect data integrity or availability, the exposure of user-group relationships may undermine privacy policies and compliance with data protection regulations such as GDPR. Organizations in sectors with sensitive project data or strict confidentiality requirements may face reputational damage or regulatory scrutiny if such information is leaked. The requirement for authenticated access limits the risk to internal or trusted users, but insider threats or compromised accounts could exploit this flaw. Since OpenProject is widely used in European public and private sectors for project management, the impact is non-negligible, especially in collaborative environments where group membership is sensitive.

The primary mitigation is to upgrade OpenProject installations to versions 16.6.5 or 17.0.1 or later, where the authorization check has been corrected. Until patching is possible, organizations should audit and minimize the assignment of the 'View Members' permission, restricting it only to users who absolutely require it. Implement strict access control policies and monitor logs for unusual access patterns to group membership data. Employ network segmentation and strong authentication controls to reduce the risk of account compromise. Additionally, consider implementing compensating controls such as alerting on enumeration attempts or limiting API access to group data. Regularly review user roles and permissions to ensure adherence to the principle of least privilege. Finally, educate users about the risks of information disclosure and encourage reporting of suspicious activity.