CVE-2026-22603

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.2

Description OpenProject is a web-based project management software. The unauthenticated password-change endpoint, /account/change password, lacked the brute-force protection present in the standard login process in affected versions. An attacker capable of guessing or enumerating user IDs could submit an unlimited number of password-change requests for a specific account without triggering account lockout or rate limiting. This enables automated password guessing, potentially leading to full account compromise and possible privilege escalation within the application. The user ID is a critical component in exploiting this issue.

Recommendations Versions prior to 16.6.2 should be upgraded to version 16.6.2 or later. If upgrading is not immediately possible, apply the manual patch.