Openproject · Openproject · CVE-2026-22603
**Name of the Vulnerable Software and Affected Versions**
OpenProject versions prior to 16.6.2
**Description**
OpenProject is a web-based project management software. The unauthenticated password-change endpoint, `/account/change password`, lacked the brute-force protection present in the standard login process in affected versions. An attacker capable of guessing or enumerating user IDs could submit an unlimited number of password-change requests for a specific account without triggering account lockout or rate limiting. This enables automated password guessing, potentially leading to full account compromise and possible privilege escalation within the application. The `user ID` is a critical component in exploiting this issue.
**Recommendations**
Versions prior to 16.6.2 should be upgraded to version 16.6.2 or later.
If upgrading is not immediately possible, apply the manual patch.