Volerion logoVolerion
Volerion logoVolerion

OpenProject Insecure Direct Object Reference Vulnerability in Meetings Module

Vulnerability

A vulnerability in OpenProject versions prior to 16.6.3 allows users with the View Meetings permission to access meeting details from projects they do not have access to. This issue arises from improper permission handling, enabling unauthorized access to meeting information by manipulating project-specific URLs.

Impact

Exploitation of this vulnerability could lead to unauthorized access to meeting details from restricted projects, creating a risk of disclosing sensitive information.

Reproduction

To reproduce this vulnerability, a user with the View Meetings permission can access meeting details by manipulating the URL to include a project they do not have access to, along with a meeting ID. The application will incorrectly grant access to the meeting information.

Remediation

Users are advised to update OpenProject to version 16.6.3 or later. If an immediate update is not possible, the Meetings module can be disabled or the View Meetings permission can be removed from roles that do not require it.

Added: Jan 10, 2026, 2:21 AM
Updated: Jan 10, 2026, 2:21 AM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
2.5
exploitability
5.2
remediation
8.3
relevance
2.0
threat
1.6
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.