Executive Summary

CVE-2026-22603 is a security vulnerability in OpenProject versions prior to 16.6.2 where the unauthenticated password-change endpoint (/account/change_password) lacked brute-force protections. This means an attacker who can guess or enumerate user IDs could send unlimited password-change requests without triggering lockout or rate-limiting controls. As a result, attackers could automate password guessing attacks against valid accounts. If successful, this leads to full account compromise and potentially further privilege escalation depending on the user's role. The vulnerability was fixed by adding brute force protection mechanisms to the password-change endpoint, including locking accounts after multiple failed attempts and logging these attempts. [2, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to fully compromise user accounts by guessing passwords through unlimited password-change attempts without being blocked. Once an attacker gains control of an account, they may escalate privileges within the OpenProject application depending on the compromised user's role. This can lead to unauthorized access to sensitive project management data and potentially disrupt project workflows or leak confidential information. [3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive password-change requests to the /account/change_password endpoint, especially those that do not trigger lockouts or rate limiting. Detection can involve checking logs for repeated failed password-change attempts or failed login attempts related to password changes. Since the vulnerability involves brute force attacks without lockout, commands to analyze web server logs or application logs for repeated POST requests to /account/change_password from the same IP or targeting the same user IDs can help. For example, using grep or similar tools on logs: 1. grep '/account/change_password' access.log | awk '{print $1}' | sort | uniq -c | sort -nr (to find IPs with many requests) 2. grep 'failed login' application.log | grep 'password change' (to find failed attempts) Additionally, monitoring for accounts with unusually high failed login counts or lockout status can indicate exploitation attempts. However, no specific commands are provided in the resources. [2, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading OpenProject to version 16.6.2 or later, where the vulnerability is patched with brute force protections on the password-change endpoint. If upgrading is not possible immediately, apply the provided patch manually (69216-password-change-brute-force.patch). As interim mitigations, restrict or disable unauthenticated access to the /account/change_password endpoint by requiring authentication or one-time tokens, implement rate limiting or IP throttling using reverse proxies or web application firewalls (WAFs), and enforce strong, unique passwords for all users. These measures help reduce the risk of automated password guessing attacks but do not replace upgrading. [2, 3]

Useful 0 Not Useful 0