CVE-2026-33667

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.0

Description Two-factor authentication (2FA) OTP verification in the 'confirm otp' action of the two factor authentication module lacks rate limiting, lockout mechanisms, or failed-attempt tracking. The brute force block after failed logins setting only tracks password login failures and does not apply to the 2FA stage. Additionally, the fail login and stage failure functions do not increment counters, lock accounts, or introduce delays. Because the default Time-based One-Time Password (TOTP) drift window of ±60 seconds allows multiple valid codes simultaneously, an attacker with a user's password can brute-force the 6-digit TOTP code. This same issue affects backup code verification, potentially allowing a complete 2FA bypass.

Recommendations Update to version 17.3.0.