CVE-2026-33667 Overview
CVE-2026-33667 is an authentication bypass vulnerability in OpenProject, an open-source project management application. The vulnerability exists in the two-factor authentication (2FA) verification mechanism, specifically within the confirm_otp action of the two_factor_authentication module. Due to the absence of rate limiting, account lockout mechanisms, or failed-attempt tracking, attackers can brute-force the 6-digit TOTP code to bypass 2FA protections entirely.
Critical Impact
Complete two-factor authentication bypass allowing unauthorized account access when an attacker knows the target user's password.
Affected Products
- OpenProject versions prior to 17.3.0
Discovery Timeline
- 2026-04-15 - CVE-2026-33667 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-33667
Vulnerability Analysis
This vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The core issue lies in the complete lack of protection against brute-force attacks on the TOTP verification endpoint. While OpenProject implements the brute_force_block_after_failed_logins setting for password authentication, this protection does not extend to the 2FA verification stage.
The TOTP algorithm, by design, allows for a drift window to account for time synchronization issues between the authenticator device and the server. OpenProject's default configuration permits a drift window of ±60 seconds, which means approximately 5 valid TOTP codes are accepted at any given time. This design choice, combined with the missing rate limiting, creates a mathematically exploitable window.
With 6-digit TOTP codes having 1,000,000 possible combinations and 5 valid codes active at any moment, the effective keyspace is reduced to 200,000 attempts on average. At a rate of 5-10 attempts per second (achievable against typical web applications), an attacker can exhaust this keyspace in approximately 11 hours.
Root Cause
The root cause is the absence of security controls in the 2FA verification code path. Neither the fail_login nor stage_failure methods in the two-factor authentication module increment any counter, lock the account, or introduce any delay between failed attempts. This oversight allows unlimited authentication attempts against the TOTP endpoint without triggering any defensive mechanisms.
Attack Vector
This vulnerability is exploitable over the network without user interaction. The attack scenario requires the attacker to first obtain valid credentials (username and password) for a target account. With credentials in hand, the attacker can initiate an automated brute-force attack against the TOTP verification endpoint.
The attack methodology involves:
- Authenticating with valid username and password to reach the 2FA prompt
- Systematically submitting TOTP codes in sequence
- Exploiting the lack of rate limiting to attempt codes at high velocity
- The same technique applies to backup code verification, providing an alternative attack path
For detailed technical information regarding this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33667
Indicators of Compromise
- Abnormally high volume of failed 2FA verification attempts from a single source IP
- Rapid successive POST requests to the TOTP/OTP verification endpoint
- Authentication logs showing repeated 2FA failures followed by a successful authentication
- User accounts experiencing unusual login activity despite 2FA being enabled
Detection Strategies
- Implement application-layer monitoring for excessive requests to /two_factor_authentication/confirm_otp or equivalent endpoints
- Configure SIEM rules to alert on more than 10 failed 2FA attempts within a 60-second window per user
- Monitor for automated traffic patterns indicative of brute-force attacks such as consistent request intervals and lack of JavaScript execution
- Deploy web application firewall (WAF) rules to detect and block high-frequency authentication attempts
Monitoring Recommendations
- Enable verbose logging for the two-factor authentication module to capture all verification attempts
- Correlate successful logins with preceding failed 2FA attempts to identify potential compromise
- Establish baseline metrics for 2FA verification failures and alert on significant deviations
- Review authentication logs for accounts that experience 2FA failures outside of normal user activity windows
How to Mitigate CVE-2026-33667
Immediate Actions Required
- Upgrade OpenProject to version 17.3.0 or later immediately
- Audit authentication logs for signs of brute-force attempts against 2FA endpoints
- Consider temporarily disabling external access to OpenProject until the patch is applied
- Force password resets for accounts showing suspicious 2FA activity patterns
- Implement network-level rate limiting on authentication endpoints as an interim measure
Patch Information
The vulnerability has been addressed in OpenProject version 17.3.0. Organizations should upgrade to this version or later to remediate the vulnerability. Detailed patch information and release notes are available in the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or WAF with rate limiting rules targeting the 2FA verification endpoint to limit requests to 3-5 per minute per IP
- Implement network-level IP-based rate limiting using tools like fail2ban or cloud provider WAF services
- Enable additional network access controls to restrict OpenProject access to trusted IP ranges or VPN users only
- Monitor and temporarily lock accounts showing excessive 2FA failures through external security tooling
# Example nginx rate limiting configuration for 2FA endpoint
# Add to server block or location context
limit_req_zone $binary_remote_addr zone=otp_limit:10m rate=5r/m;
location /two_factor_authentication {
limit_req zone=otp_limit burst=3 nodelay;
proxy_pass http://openproject_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
