CVE-2026-22604
User Enumeration Vulnerability in OpenProject Password Change Endpoint
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opf | openproject | From 11.2.1 (inc) to 16.6.2 (exc) |
| opf | openproject | 16.6.2 |
| opf | openproject | 17.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenProject versions 11.2.1 to before 16.6.2 allows an unauthenticated attacker to enumerate usernames registered on the system. By sending a POST request to the /account/change_password endpoint with an arbitrary user ID in the password_change_user_id parameter, the error page reveals the username associated with that ID. This happens because the endpoint, which does not require authentication, discloses usernames in error responses, enabling remote user enumeration. [4]
How can this vulnerability impact me? :
The vulnerability impacts confidentiality by exposing the usernames of all registered accounts on an OpenProject instance without requiring authentication or privileges. This user enumeration can aid attackers in further targeted attacks such as phishing or brute force attempts. However, it does not affect the integrity or availability of the system, and there are no additional system impacts beyond username disclosure. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated POST requests to the /account/change_password endpoint with arbitrary user IDs in the password_change_user_id parameter and observing if the error response discloses usernames. A simple detection command using curl could be: curl -X POST https://<openproject-instance>/account/change_password -d "password_change_user_id=<arbitrary_user_id>" -v and checking the response for username disclosure. [4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenProject to version 16.6.2 or later, where this vulnerability has been patched. No other workarounds were specified. [4, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to enumerate usernames of all registered accounts in an OpenProject instance, which impacts confidentiality by exposing user information. Such exposure of personal data could potentially affect compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal identifiable information (PII) and user data confidentiality. However, the vulnerability does not affect system integrity or availability, and no further system impacts are noted. Organizations using affected versions should upgrade to OpenProject 16.6.2 or later to remediate this issue and maintain compliance. [4]