Description
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls. This allows automated password-guessing (e.g., with wordlists of common passwords) against valid accounts. Successful guessing results in full account compromise for the targeted user and, depending on that user’s role, can lead to further privilege escalation inside the application. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Published: 2026-01-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover and potential privilege escalation via unrestricted password‑reset brute‑force
Action: Apply patch
AI Analysis

Impact

OpenProject’s unauthenticated password‑change endpoint (/account/change_password) lacks the brute‑force protections that guard the normal login form. An attacker who can discover or guess a valid user identifier can submit unlimited password‑reset requests without triggering lockout or rate limits. Successful guessing of a user’s password resets the account to the attacker’s chosen value, resulting in full account compromise and, depending on the user’s role, possible privilege escalation within the application. The weakness is identified as CWE‑307.

Affected Systems

The vulnerability affects OpenProject, an open‑source, web‑based project management system, in all releases prior to version 16.6.2. Users of these older versions are at risk if the change‑password functionality is reachable without additional authentication or rate limiting.

Risk and Exploitability

The public CVSS score is 6.9, indicating a moderate severity, while the EPSS score is below 1 %, suggesting a low likelihood of exploitation at present. The issue is not yet listed in the CISA KEV catalog. However, the attack requires only the ability to enumerate user IDs and a low number of attempts to compromise accounts that use common passwords. Inferred from the description, the attack vector is an unauthenticated brute‑force request to the password‑change endpoint; the vulnerability can be exploited with no additional privileges and no network access beyond normal usage of the web application.

Generated by OpenCVE AI on April 18, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 16.6.2 or later. The package includes the fix that restores brute‑force protection to the password‑change endpoint.
  • If an upgrade is not feasible, apply the manual patch as described in the advisory (commit 2b394b9ba5af1e5d96a64d7d452d4d44598a4c7f) or merge the changes from pull request 21272 to re‑implement the rate‑limiting logic.
  • Deploy a reverse‑proxy or firewall rule to rate‑limit or block repeated requests to the /account/change_password endpoint until the fix is applied.

Generated by OpenCVE AI on April 18, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Sat, 10 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls. This allows automated password-guessing (e.g., with wordlists of common passwords) against valid accounts. Successful guessing results in full account compromise for the targeted user and, depending on that user’s role, can lead to further privilege escalation inside the application. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Title OpenProject has no protection against brute-force attacks in the Change Password function
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:59:34.458Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22603

cve-icon Vulnrichment

Updated: 2026-01-13T19:59:30.897Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T02:15:49.200

Modified: 2026-01-14T22:27:03.023

Link: CVE-2026-22603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses