2FA Bypass Vulnerability in OpenProject by OpenProject Foundation
CVE-2026-33667

7.4HIGH

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-33667?

The OpenProject application, a leading open-source project management tool, has a vulnerability in its two-factor authentication (2FA) mechanism. In the impacted versions prior to 17.3.0, the OTP verification process lacks essential rate limiting, a lockout mechanism, and failed-attempt tracking. This misconfiguration allows an attacker who knows a user's password to exploit the system and brute-force the 6-digit TOTP codes with an alarming speed of 5-10 attempts per second. This results in a potential complete bypass of the 2FA safeguards, particularly threatening for accounts with known passwords. Moreover, the vulnerability extends to the verification of backup codes, significantly increasing the risk of unauthorized access. A fix has been implemented in version 17.3.0.

Affected Version(s)

openproject < 17.3.0

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33667 Data

JSON

Opf

What is CVE-2026-33667?

Affected Version(s)

References

CVSS V3.1

Timeline