CVE-2026-33667
Brute Force 2FA Bypass in OpenProject Pre
Publication date: 2026-04-15
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | to 17.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33667 is a high-severity vulnerability in OpenProject versions prior to 17.3.0 affecting the Two-Factor Authentication (2FA) One-Time Password (OTP) verification process.
The vulnerability exists because the 2FA OTP verification (confirm_otp action) does not have any rate limiting, lockout mechanism, or failed-attempt tracking. This means that an attacker who already knows a user's password can repeatedly try to guess the 6-digit TOTP code without restriction.
The existing brute_force_block_after_failed_logins setting only tracks password login failures and does not apply to the 2FA verification stage. Methods that handle OTP failures do not increment failure counters, lock accounts, or add delays.
Because the TOTP verification allows a Β±60 second drift window, approximately 5 valid codes exist simultaneously, increasing the chance of guessing correctly.
An attacker can attempt 5-10 guesses per second, potentially brute-forcing the OTP within about 11 hours, effectively bypassing 2FA for any account where the password is known.
This vulnerability also affects backup code verification.
How can this vulnerability impact me? :
This vulnerability allows an attacker who knows a user's password to bypass the two-factor authentication protection by brute-forcing the 6-digit OTP code without any rate limiting or lockout.
As a result, accounts protected by 2FA can be fully compromised, undermining the security benefits of two-factor authentication.
This can lead to unauthorized access to sensitive project management data and potentially allow attackers to perform actions as the legitimate user.
The vulnerability increases the risk of credential stuffing attacks and account takeovers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high rates of failed 2FA OTP verification attempts without corresponding account lockouts or delays.
Since the vulnerability involves the lack of rate limiting and failed-attempt tracking on the 2FA OTP verification stage, you can look for rapid repeated OTP verification requests in your OpenProject logs.
Suggested commands include searching your OpenProject server logs for multiple rapid failed OTP verification attempts (confirm_otp action) from the same user or IP address.
- Use grep or similar tools to filter logs for 'confirm_otp' failures, for example: grep 'confirm_otp' /path/to/openproject/logs/production.log | grep 'failed'
- Monitor for high frequency of 2FA verification attempts using network monitoring tools or intrusion detection systems that can detect brute-force patterns.
- Check if the failed login counters or lockout mechanisms are incrementing or triggered after multiple failed OTP attempts; if not, this indicates the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenProject to version 17.3.0 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, consider implementing external rate limiting or monitoring on the 2FA OTP verification endpoints to detect and block brute-force attempts.
Additional mitigation includes enforcing strong password policies to reduce the risk of attackers knowing user passwords, since the vulnerability requires password knowledge.
If possible, temporarily disable 2FA backup code verification or restrict its usage until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker who knows a user's password to bypass two-factor authentication (2FA) by brute-forcing the 6-digit OTP code without any rate limiting or lockout mechanisms. This undermines the security guarantees of 2FA, potentially leading to unauthorized access to user accounts.
Such unauthorized access risks exposing sensitive personal or protected health information, which can lead to non-compliance with data protection regulations like GDPR and HIPAA that require strong access controls and protection of user data.
Therefore, the vulnerability negatively impacts compliance with these standards by weakening authentication security and increasing the risk of data breaches.