CVE-2026-22603

MEDIUM EPSS 12.4%
Published Jan 10, 20265mo ago · Modified Jun 17, 20262w ago
6.9 CVSS 4.0
Medium
Find Similar
Published Jan 10, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls. This allows automated password-guessing (e.g., with wordlists of common passwords) against valid accounts. Successful guessing results in full account compromise for the targeted user and, depending on that user’s role, can lead to further privilege escalation inside the application. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
12.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-307

Affected Products 1

VendorProductVersionRange
openprojectopenproject* <16.6.2

References 4

  • github.com https://github.com/opf/openproject/commit/2b394b9ba5af1e5d96a64d7d452d4d44598a4c7f
    Patch
  • github.com https://github.com/opf/openproject/pull/21272
    Issue Tracking
  • github.com https://github.com/opf/openproject/releases/tag/v16.6.2
    Release Notes
  • github.com https://github.com/opf/openproject/security/advisories/GHSA-93x5-prx9-x239
    PatchVendor Advisory

Remediation

  • github.com https://github.com/opf/openproject/commit/2b394b9ba5af1e5d96a64d7d452d4d44598a4c7f
    Patch
  • github.com https://github.com/opf/openproject/security/advisories/GHSA-93x5-prx9-x239
    PatchVendor Advisory