CVE-2026-22604 Overview
OpenProject, an open-source web-based project management software, contains a username enumeration vulnerability in versions 11.2.1 to before 16.6.2. When sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page reveals the username for the requested user. Since this endpoint is designed to be accessible without authentication, attackers can systematically enumerate usernames of all accounts registered in an OpenProject instance.
Critical Impact
Unauthenticated attackers can enumerate all usernames in an OpenProject instance, enabling targeted attacks such as credential stuffing, password spraying, and social engineering campaigns.
Affected Products
- OpenProject versions 11.2.1 to 16.6.1
- OpenProject web-based installations (self-hosted and cloud instances)
- Any deployment exposing the /account/change_password endpoint
Discovery Timeline
- January 10, 2026 - CVE CVE-2026-22604 published to NVD
- January 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-22604
Vulnerability Analysis
This vulnerability is classified as an Information Exposure issue (CWE-200). The flaw exists in the password change functionality of OpenProject, specifically in how error responses are handled when processing requests to the /account/change_password endpoint. The application fails to implement proper access controls and response sanitization, allowing unauthenticated users to extract sensitive user information.
The vulnerability is exploitable over the network without requiring any privileges or user interaction. While the confidentiality impact is limited to username disclosure, this information can serve as a stepping stone for more sophisticated attacks against the target organization.
Root Cause
The root cause lies in improper information handling within the password change error response mechanism. When an invalid or arbitrary password_change_user_id parameter is submitted, the application generates an error page that inadvertently includes the associated username in the response. This information disclosure occurs because the application does not properly sanitize error messages or restrict access to user-identifying information on unauthenticated endpoints.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by crafting POST requests to the /account/change_password endpoint with sequential or guessed User IDs. By iterating through potential User ID values and analyzing the error responses, an attacker can compile a list of valid usernames registered in the OpenProject instance.
The vulnerability enables attackers to perform reconnaissance against an organization's OpenProject deployment. Harvested usernames can be used for:
- Credential stuffing attacks using leaked password databases
- Password spraying campaigns with common passwords
- Targeted phishing and social engineering attacks
- Identifying high-value accounts (administrators, project managers)
Detection Methods for CVE-2026-22604
Indicators of Compromise
- Unusual volume of POST requests to the /account/change_password endpoint from single IP addresses
- Sequential or patterned password_change_user_id parameter values in request logs
- Requests to the password change endpoint without accompanying session tokens or authentication cookies
- Automated scanning patterns with rapid consecutive requests to the vulnerable endpoint
Detection Strategies
- Configure web application firewalls to monitor and alert on bulk requests to /account/change_password
- Implement rate limiting rules specifically for the password change endpoint
- Deploy log analysis rules to identify enumeration attempts based on request patterns
- Monitor for automated tools or scripts targeting authentication-related endpoints
Monitoring Recommendations
- Enable detailed access logging for all authentication and account management endpoints
- Set up alerting thresholds for failed password change attempts from single sources
- Correlate password change endpoint activity with subsequent login attempts to detect exploitation chains
- Review web server logs for patterns indicative of user enumeration activity
How to Mitigate CVE-2026-22604
Immediate Actions Required
- Upgrade OpenProject to version 16.6.2 or later immediately
- Apply web application firewall rules to rate-limit requests to /account/change_password
- Review access logs for signs of prior exploitation or enumeration attempts
- Consider temporarily restricting access to the password change endpoint via network controls
Patch Information
OpenProject has released version 16.6.2 which addresses this vulnerability. The fix is available through the official GitHub Release v16.6.2. Organizations can review the specific code changes in the GitHub Commit Update and the associated GitHub Pull Request. For complete details on the vulnerability scope and remediation, refer to the GitHub Security Advisory GHSA-q7qp-p3vw-j2fh.
Workarounds
- Implement IP-based rate limiting on the /account/change_password endpoint to slow enumeration attempts
- Deploy a reverse proxy or WAF rule to require CAPTCHA or additional verification for password change requests
- Restrict access to OpenProject to trusted network ranges using firewall rules if public access is not required
- Monitor and block IP addresses exhibiting enumeration behavior
# Example nginx rate limiting configuration for OpenProject
# Add to server block or location directive
limit_req_zone $binary_remote_addr zone=password_limit:10m rate=5r/m;
location /account/change_password {
limit_req zone=password_limit burst=3 nodelay;
limit_req_status 429;
proxy_pass http://openproject_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
