Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover. This vulnerability is fixed in 17.3.2 and 17.4.0.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a business logic error that allows the PATCH endpoint /api/v3/users/me to bypass password requirements. It permits an attacker who has already taken over a user session to change that user's password without providing the current password, effectively compromising the account. The weakness is classified as CWE‑620, an authentication bypass flaw, and does not provide direct code execution or denial of service.

Affected Systems

OpenProject 17.3.x versions prior to 17.3.2 and OpenProject 17.4.x versions prior to 17.4.0 are affected. All earlier releases of the open‑source project management platform are also at risk until patched.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to first obtain an active session on the target system; once in that session, the attacker can change the user’s password through the vulnerable API call.

Generated by OpenCVE AI on June 26, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.3.2 or later, or to 17.4.0 or later, to receive the security fix.
  • If an immediate upgrade is not possible, temporarily disable the password‑change functionality via the API or enforce re‑authentication for any password change requests to mitigate the elevation risk.
  • Strengthen session security by implementing multi‑factor authentication and limiting session lifetimes to reduce the likelihood of successful session takeover.

Generated by OpenCVE AI on June 26, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover. This vulnerability is fixed in 17.3.2 and 17.4.0.
Title OpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:47:13.724Z

Reserved: 2026-05-07T18:04:17.309Z

Link: CVE-2026-44733

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:30:06Z

Weaknesses
  • CWE-620

    Unverified Password Change