CVE-2026-22603 Overview
OpenProject is an open-source, web-based project management software used by organizations worldwide for project planning, tracking, and collaboration. Prior to version 16.6.2, a critical authentication bypass vulnerability exists in OpenProject's unauthenticated password-change endpoint (/account/change_password). This endpoint was not protected by the same brute-force safeguards that apply to the normal login form, enabling attackers to perform unlimited password-guessing attacks against valid user accounts.
Critical Impact
An attacker who can guess or enumerate user IDs can perform automated password-guessing attacks using wordlists of common passwords without triggering lockout or rate-limiting controls. Successful exploitation results in full account compromise and potential privilege escalation within the application.
Affected Products
- OpenProject versions prior to 16.6.2
- OpenProject web-based project management installations with password change functionality enabled
- Self-hosted and cloud-hosted OpenProject deployments running vulnerable versions
Discovery Timeline
- 2026-01-10 - CVE CVE-2026-22603 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22603
Vulnerability Analysis
This vulnerability stems from a missing brute-force protection mechanism (CWE-307: Improper Restriction of Excessive Authentication Attempts) on the password change endpoint. While the standard login form includes rate-limiting and account lockout controls to prevent brute-force attacks, the /account/change_password endpoint was inadvertently left unprotected.
The attack surface is exposed via the network and requires no authentication or user interaction to exploit. An attacker needs only to identify valid user IDs through enumeration or other means, then can programmatically submit password-change requests with candidate passwords from common wordlists. The lack of failed attempt tracking on this endpoint means there is no lockout mechanism to halt the attack.
Successful exploitation enables full account takeover. Depending on the compromised account's role and permissions, this can lead to horizontal or vertical privilege escalation within the OpenProject instance, potentially granting access to sensitive project data, administrative functions, or further attack vectors within the organization.
Root Cause
The root cause is the missing implementation of failed login attempt tracking and lockout logic in the password change controller. The password change endpoint did not invoke the failed_too_many_recent_login_attempts? check or log_failed_login method that the regular authentication flow uses. This asymmetry in security controls created a bypass path for brute-force attacks.
Attack Vector
The attack can be executed remotely over the network by any unauthenticated attacker with knowledge of valid user identifiers. The attacker targets the /account/change_password endpoint with automated requests, systematically testing passwords from wordlists. Since no rate limiting or lockout was enforced, attacks could proceed at high speed limited only by network bandwidth.
The following patch was applied in version 16.6.2 to address this vulnerability:
# auth sources in the admin UI, so this shouldn't normally happen.
return if redirect_if_password_change_not_allowed(user)
+ # Check if user is locked due to too many failed attempts
+ if user.failed_too_many_recent_login_attempts?
+ flash_and_log_invalid_credentials(is_logged_in: !show_user_name)
+ return render_password_change(user, nil, show_user_name:)
+ end
+
# Ensure the current password is validated
unless user.check_password?(params[:password], update_legacy:)
+ user.log_failed_login
flash_and_log_invalid_credentials(is_logged_in: !show_user_name)
return render_password_change(user, nil, show_user_name:)
end
Source: GitHub Commit Details
The patch adds two critical security checks: verification of the failed_too_many_recent_login_attempts? condition before processing the password change, and logging of failed attempts via log_failed_login when password validation fails. This aligns the endpoint's security controls with the standard login form.
Detection Methods for CVE-2026-22603
Indicators of Compromise
- High volume of POST requests to /account/change_password endpoint from single IP addresses or ranges
- Multiple failed password change attempts for the same user account in rapid succession
- Unusual patterns of password change requests outside normal business hours
- Authentication log entries showing repeated failures followed by a success for the same account
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block rapid-fire requests to the password change endpoint
- Configure intrusion detection systems (IDS) to alert on patterns indicative of credential stuffing or brute-force attacks
- Enable and monitor OpenProject application logs for failed authentication events on the password change endpoint
- Deploy SentinelOne Singularity platform to detect anomalous process behavior and suspicious network patterns associated with automated attack tools
Monitoring Recommendations
- Establish baseline metrics for password change endpoint usage and alert on deviations
- Monitor for user account lockouts that may indicate ongoing brute-force attempts
- Review authentication logs regularly for signs of credential compromise
- Implement real-time alerting on high-frequency requests to authentication-related endpoints
How to Mitigate CVE-2026-22603
Immediate Actions Required
- Upgrade OpenProject installations to version 16.6.2 or later immediately
- Review authentication logs for evidence of exploitation prior to patching
- Force password resets for any accounts showing suspicious failed attempt patterns
- Implement network-level rate limiting on the /account/change_password endpoint as an interim measure
Patch Information
OpenProject has released version 16.6.2 which addresses this vulnerability by implementing proper brute-force protection on the password change endpoint. The patch ensures that failed login attempt tracking and account lockout mechanisms are applied consistently across all authentication paths.
For detailed patch information, refer to:
Workarounds
- Apply the security patch manually if immediate upgrade is not possible (see GitHub Commit Details)
- Configure reverse proxy or WAF to enforce rate limiting on the /account/change_password endpoint
- Implement fail2ban or similar IP-based blocking for repeated failed attempts to authentication endpoints
- Restrict access to the password change endpoint to trusted network ranges where feasible
# Example nginx rate limiting configuration for password change endpoint
limit_req_zone $binary_remote_addr zone=password_change:10m rate=5r/m;
location /account/change_password {
limit_req zone=password_change burst=3 nodelay;
proxy_pass http://openproject_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
