Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover. This vulnerability is fixed in 17.3.2 and 17.4.0.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenProject is open‑source, web‑based project management software. Before versions 17.3.2 and 17.4.0, a business logic flaw in the PATCH endpoint at /api/v3/users/me lets attackers bypass password validation. The flaw permits an attacker who has already hijacked a user’s session to change that user’s password without supplying the current password. The vulnerability is classified as CWE‑620, an authentication‑bypass weakness, and only leads to credential compromise rather than code execution or denial of service.

Affected Systems

OpenProject 17.3.x versions prior to 17.3.2 and OpenProject 17.4.x versions prior to 17.4.0 are affected. All earlier releases of the open‑source project management platform are also at risk until patched.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to first obtain an active session on the target system; once in that session, the attacker can change the user’s password through the vulnerable API call.

Generated by OpenCVE AI on June 26, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.3.2 or later, or to 17.4.0 or later, to receive the security fix.
  • If an immediate upgrade is not possible, temporarily disable the password‑change functionality via the API or enforce re‑authentication for any password change requests to mitigate the elevation risk.
  • Strengthen session security by implementing multi‑factor authentication and limiting session lifetimes to reduce the likelihood of successful session takeover.

Generated by OpenCVE AI on June 26, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover. This vulnerability is fixed in 17.3.2 and 17.4.0.
Title OpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T13:16:32.190Z

Reserved: 2026-05-07T18:04:17.309Z

Link: CVE-2026-44733

cve-icon Vulnrichment

Updated: 2026-06-29T13:16:25.671Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T01:15:08Z

Weaknesses
  • CWE-620

    Unverified Password Change