Description
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2.
Published: 2026-01-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration via Unauthenticated Endpoint
Action: Patch Now
AI Analysis

Impact

An error response from the /account/change_password endpoint reveals the username of any user when an arbitrary user ID is supplied, even when the requester is not authenticated. The flaw arises because the endpoint is intended for unauthenticated use but does not sanitize or mask error information. This allows an attacker to discover all account usernames on an OpenProject instance, which can be leveraged for targeted phishing, credential stuffing, or further attacks that require knowledge of valid identities. The weakness is a classic information disclosure scenario, mapped to CWE‑200.

Affected Systems

OpenProject versions from 11.2.1 up to (but not including) 16.6.2 are affected. The software vendor is OpenProject, and the public package is the OpenProject web application.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is less than 1%, suggesting that, at the time of this analysis, the likelihood of exploitation in the wild is low. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, and no widely publicized exploits are known. Exploitation requires only a simple HTTP POST request without authentication, making the attack vector easy to construct. An attacker with network access to the OpenProject instance can enumerate usernames by iterating through user IDs, despite there being no authenticated session required. The impact is primarily privacy and future attack facilitation rather than immediate compromise of code or data integrity.

Generated by OpenCVE AI on April 18, 2026 at 07:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 16.6.2 or later, which removes the disclosure of usernames from error messages.
  • If an upgrade is not immediately possible, restrict unauthenticated access to the /account/change_password endpoint using web‑application firewalls or network controls so that only legitimate account‑recall traffic can reach it.
  • Monitor access logs for repeated POST attempts to /account/change_password that include arbitrary user ID parameters, as these may indicate enumeration activity.

Generated by OpenCVE AI on April 18, 2026 at 07:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 12 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Sat, 10 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2.
Title OpenProject is vulnerable to user enumeration via the change password function
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T19:16:12.780Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22604

cve-icon Vulnrichment

Updated: 2026-01-12T19:16:10.309Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T02:15:49.343

Modified: 2026-01-14T22:27:23.780

Link: CVE-2026-22604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses