CVE-2026-44733
Deferred Deferred - Pending Action
Business Logic Error in OpenProject Password Change

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover. This vulnerability is fixed in 17.3.2 and 17.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-44733
EUVD
EUVD-2026-39861
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.4.0 (exc)
openproject openproject to 17.3.2|end_excluding=17.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a password validation flaw in OpenProject versions before 17.3.2. It arises from a business logic error in the PATCH request to the /api/v3/users/me endpoint. Because of this flaw, an attacker who has taken over an active user session can bypass the normal password requirements and change the user's password without needing additional privileges or user interaction.

Compliance Impact

This vulnerability allows attackers to bypass password requirements and change a user's password with only an active session takeover, which can lead to unauthorized access to user accounts.

Such unauthorized access can compromise the confidentiality of sensitive personal or health information managed within OpenProject, potentially violating data protection standards like GDPR and HIPAA that require strict access controls and protection of personal data.

Therefore, this flaw could negatively impact compliance with these regulations by increasing the risk of unauthorized data access due to weak password validation and session management.

Impact Analysis

The vulnerability allows an attacker with an active session to change a user's password, which can lead to unauthorized access to the user's account. This impacts the confidentiality of user data highly, as attackers can gain control over accounts. The integrity and availability impacts are minimal, but the compromise of user credentials can lead to further security issues.

Detection Guidance

This vulnerability involves a business logic error in the PATCH request to the /api/v3/users/me endpoint in OpenProject versions before 17.3.2. Detection would involve monitoring or inspecting PATCH requests to this endpoint to identify unauthorized password changes.

Specific commands are not provided in the available resources, but network or application logs could be searched for PATCH requests to /api/v3/users/me that result in password changes without proper validation.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.2 or 17.4.0, where this password validation flaw has been fixed.

Additionally, monitoring active sessions and ensuring session security can help reduce the risk of session takeover, which is required to exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart