CVE-2026-23721 is a missing authorization vulnerability (CWE-862) in OpenProject, a widely used open-source web-based project management software. The vulnerability arises from a failed permission check related to group membership visibility. In OpenProject, groups are used to manage users across projects, and group members should only be visible to users who have the 'View Members' permission in projects where the group is a member. However, in versions prior to 16.6.5 and specifically version 17.0.0, any user with 'View Members' permission in any project could enumerate all groups and view all members of those groups, regardless of whether they had permission in those specific groups or projects. This unauthorized enumeration leaks potentially sensitive information about user memberships and organizational structure. The vulnerability requires the attacker to be authenticated with at least 'View Members' permission in any project, but no further user interaction is required. The flaw does not allow modification or deletion of data, nor does it impact system availability. The issue was addressed and fixed in OpenProject versions 16.6.5 and 17.0.1 by correcting the permission checks to restrict group member visibility appropriately. There are no known workarounds, and no exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited impact on confidentiality and the requirement for authenticated access.

For European organizations, the primary impact of CVE-2026-23721 is the unauthorized disclosure of user group membership information within OpenProject. This could lead to increased risk of targeted social engineering or spear-phishing attacks by revealing internal team structures and user roles. While the vulnerability does not allow data modification or system disruption, the leakage of membership data can compromise confidentiality and potentially aid attackers in reconnaissance phases of an attack. Organizations with strict data privacy requirements, such as those governed by GDPR, may face compliance risks if sensitive user information is exposed. The impact is more pronounced in organizations where OpenProject is used extensively for managing sensitive projects or where group membership reflects sensitive organizational hierarchies. Since exploitation requires authenticated access with 'View Members' permission, the risk is limited to insiders or compromised accounts but remains significant in environments with many users having this permission. The absence of known exploits reduces immediate risk but does not eliminate the need for prompt remediation.

European organizations should immediately upgrade OpenProject installations to version 16.6.5 or 17.0.1 or later, where the vulnerability is fixed. Until upgrades are applied, organizations should audit user permissions to minimize the number of users granted 'View Members' permission, restricting it only to those who absolutely require it. Implement strict access controls and monitor for unusual access patterns to group membership data. Employ multi-factor authentication (MFA) to reduce the risk of account compromise that could lead to exploitation. Regularly review and update group memberships and permissions to ensure least privilege principles are enforced. Additionally, consider network segmentation and application-layer firewalls to limit access to OpenProject instances. Maintain up-to-date logging and alerting to detect any attempts to enumerate groups or access sensitive user information. Since no workarounds exist, patching remains the most effective mitigation.