CVE-2026-22603
Brute-Force Vulnerability in OpenProject Password-Change Endpoint
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opf | openproject | to 16.6.1 (exc) |
| opf | openproject | 16.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22603 is a security vulnerability in OpenProject versions prior to 16.6.2 where the unauthenticated password-change endpoint (/account/change_password) lacked brute-force protections. This means an attacker who can guess or enumerate user IDs could send unlimited password-change requests without triggering lockout or rate-limiting controls. As a result, attackers could automate password guessing attacks against valid accounts. If successful, this leads to full account compromise and potentially further privilege escalation depending on the user's role. The vulnerability was fixed by adding brute force protection mechanisms to the password-change endpoint, including locking accounts after multiple failed attempts and logging these attempts. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to fully compromise user accounts by guessing passwords through unlimited password-change attempts without being blocked. Once an attacker gains control of an account, they may escalate privileges within the OpenProject application depending on the compromised user's role. This can lead to unauthorized access to sensitive project management data and potentially disrupt project workflows or leak confidential information. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive password-change requests to the /account/change_password endpoint, especially those that do not trigger lockouts or rate limiting. Detection can involve checking logs for repeated failed password-change attempts or failed login attempts related to password changes. Since the vulnerability involves brute force attacks without lockout, commands to analyze web server logs or application logs for repeated POST requests to /account/change_password from the same IP or targeting the same user IDs can help. For example, using grep or similar tools on logs: 1. grep '/account/change_password' access.log | awk '{print $1}' | sort | uniq -c | sort -nr (to find IPs with many requests) 2. grep 'failed login' application.log | grep 'password change' (to find failed attempts) Additionally, monitoring for accounts with unusually high failed login counts or lockout status can indicate exploitation attempts. However, no specific commands are provided in the resources. [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OpenProject to version 16.6.2 or later, where the vulnerability is patched with brute force protections on the password-change endpoint. If upgrading is not possible immediately, apply the provided patch manually (69216-password-change-brute-force.patch). As interim mitigations, restrict or disable unauthenticated access to the /account/change_password endpoint by requiring authentication or one-time tokens, implement rate limiting or IP throttling using reverse proxies or web application firewalls (WAFs), and enforce strong, unique passwords for all users. These measures help reduce the risk of automated password guessing attacks but do not replace upgrading. [2, 3]