Impact
OpenProject is open‑source, web‑based project management software. Before versions 17.3.2 and 17.4.0, a business logic flaw in the PATCH endpoint at /api/v3/users/me lets attackers bypass password validation. The flaw permits an attacker who has already hijacked a user’s session to change that user’s password without supplying the current password. The vulnerability is classified as CWE‑620, an authentication‑bypass weakness, and only leads to credential compromise rather than code execution or denial of service.
Affected Systems
OpenProject 17.3.x versions prior to 17.3.2 and OpenProject 17.4.x versions prior to 17.4.0 are affected. All earlier releases of the open‑source project management platform are also at risk until patched.
Risk and Exploitability
The CVSS score of 5.9 indicates a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to first obtain an active session on the target system; once in that session, the attacker can change the user’s password through the vulnerable API call.
OpenCVE Enrichment