Unauthenticated Password Change Vulnerability in OpenProject by OPF
CVE-2026-22603

6.9MEDIUM

Key Information:

Vendor

Opf

Status
Openproject
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22603?

OpenProject, a web-based project management tool, prior to version 16.6.2, has a security flaw that allows unauthenticated users to exploit the password change endpoint. Attackers can send unlimited password change requests without being subjected to brute-force protection mechanisms. This vulnerability enables them to perform automated guessing attacks against valid accounts, leading to account takeovers. Depending on the compromised user's role, this could facilitate further escalation within the application. Users are advised to upgrade to version 16.6.2 or apply manual patches to secure their accounts.

Affected Version(s)

openproject < 16.6.2

References

https://github.com/opf/openproject/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/opf/openproject/pull/21272
x_refsource_MISC
https://github.com/opf/openproject/commit/2b394b9ba5af1e5...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.