CVE-2026-22603 is a vulnerability classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) affecting OpenProject, an open-source web-based project management software. Prior to version 16.6.2, the unauthenticated password-change endpoint (/account/change_password) lacked the brute-force protections that are present on the standard login form. This flaw allows an unauthenticated attacker to enumerate valid user IDs and submit unlimited password-change requests without triggering account lockout or rate-limiting mechanisms. By automating password-guessing attacks using common password wordlists, an attacker can compromise user accounts fully. Once an account is compromised, depending on the user’s role within OpenProject, the attacker may escalate privileges and gain broader access within the application. The vulnerability impacts confidentiality and integrity by enabling unauthorized account takeover and potential privilege escalation. The attack vector requires no authentication or user interaction, and the vulnerability is remotely exploitable over the network. The vendor addressed this issue in OpenProject version 16.6.2, and users unable to upgrade can apply manual patches to mitigate the risk. Although no exploits are currently known in the wild, the ease of exploitation and potential impact warrant prompt remediation.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of project management data and user accounts. Compromise of user accounts, especially those with administrative or elevated privileges, can lead to unauthorized access to sensitive project information, manipulation of project data, and disruption of workflows. This can affect organizations relying on OpenProject for collaboration, planning, and resource management, including government agencies, engineering firms, and software development companies. The lack of brute-force protections on the password-change endpoint increases the likelihood of automated attacks, potentially leading to widespread account compromises if user IDs are easily enumerable. Additionally, compromised accounts may be leveraged for lateral movement or privilege escalation within the organization’s IT environment. The vulnerability could also undermine trust in project management processes and lead to compliance issues under data protection regulations such as GDPR if personal or sensitive data is exposed or altered.

European organizations using OpenProject should immediately upgrade to version 16.6.2 or later, where the vulnerability is patched. If upgrading is not feasible, applying the vendor-provided manual patch to secure the password-change endpoint is critical. Organizations should implement additional compensating controls such as web application firewalls (WAFs) to detect and block abnormal password-change request patterns and rate-limit requests at the network perimeter. Enforcing strong password policies and encouraging users to adopt multi-factor authentication (MFA) where supported can reduce the risk of successful password guessing. Monitoring logs for unusual password-change activity and failed attempts can help detect ongoing attacks. Restricting access to the OpenProject instance via IP whitelisting or VPNs can further reduce exposure. Regular security assessments and penetration testing focused on authentication mechanisms are recommended to identify similar weaknesses. Finally, educating users about the risks of weak passwords and phishing can help mitigate account compromise risks.