Description
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.
Published: 2026-04-15
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via OTP Brute Force
Action: Immediate Patch
AI Analysis

Impact

OpenProject versions earlier than 17.3.0 allow an attacker who knows a user’s password to validate the time‑based one‑time password used in two‑factor authentication because the confirm_otp action contains no rate limiting, lockout, or failed‑attempt tracking. With a default ±60‑second drift window that accepts roughly five valid six‑digit codes at a time, an adversary can attempt 5–10 OTP values per second and brute‑force the code in about eleven hours. The same lack of protection applies to backup code verification, allowing a full bypass of the second factor for compromised accounts. This flaw is a classic example of CWE‑307 – Authentication Bypass Through User Credential Manipulation – and, if exploited, undermines confidentiality, integrity, and availability by granting unauthorized users full access.

Affected Systems

Vendor: OpenProject. Product: OpenProject project‑management software. Affected versions: All releases prior to 17.3.0, including the two_factor_authentication module’s confirm_otp action and the backup code verification path.

Risk and Exploitability

The CVSS base score of 7.4 indicates a high‑severity vulnerability. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, though it remains of significant concern in environments where passwords are weak or compromised. Exploitation requires a valid user password; once obtained, the absence of any rate limiting or lockout mechanism removes practical constraints on OTP attempts, making the risk substantial when password exposure is possible. The attack can be carried out over normal web traffic without special privileges or local access.

Generated by OpenCVE AI on April 16, 2026 at 09:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenProject 17.3.0 or later to apply the vendor‑provided fix for OTP verification rate limiting.
  • If an upgrade cannot be performed immediately, temporarily disable two‑factor authentication for all affected accounts until the patch is applied, preventing the bypass from being effective.
  • Enforce a robust password policy and consider deploying hardware or dual‑factor tokens to reduce the likelihood that an attacker can obtain valid credentials in the first place.

Generated by OpenCVE AI on April 16, 2026 at 09:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.
Title OpenProject: 2FA OTP Verification Missing Rate Limiting
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:00:14.503Z

Reserved: 2026-03-23T15:23:42.220Z

Link: CVE-2026-33667

cve-icon Vulnrichment

Updated: 2026-04-15T20:00:04.898Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T19:16:35.603

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-33667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses