CVE-2026-22603 is a vulnerability classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) affecting OpenProject, an open-source web-based project management software. Prior to version 16.6.2, the unauthenticated password-change endpoint (/account/change_password) did not enforce the same brute-force protections as the login form. This flaw allows an attacker who can enumerate or guess valid user IDs to send unlimited password-change requests without triggering lockout or rate-limiting controls. Attackers can automate password guessing using common password lists against valid accounts, potentially leading to full account compromise. Once an account is compromised, attackers may escalate privileges within the application depending on the user's role, which could lead to broader access to sensitive project management data and administrative functions. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality and integrity. The issue has been patched in OpenProject version 16.6.2, and manual patching is recommended for those unable to upgrade immediately. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of project management data and user accounts. Compromise of user accounts, especially those with administrative or elevated privileges, can lead to unauthorized access to sensitive project information, manipulation of project timelines, and disruption of collaborative workflows. This can impact business operations, project delivery, and potentially expose intellectual property or sensitive client data. Organizations relying on OpenProject for critical project management functions may face operational disruptions and reputational damage if exploited. The lack of brute-force protections on the password-change endpoint increases the likelihood of automated attacks, especially in environments where user enumeration is possible. Given the collaborative nature of project management tools, lateral movement within the application after initial compromise is a concern. European entities with compliance obligations around data protection (e.g., GDPR) must consider the risk of data breaches resulting from this vulnerability.

The primary mitigation is to upgrade OpenProject installations to version 16.6.2 or later, where the vulnerability is patched. For organizations unable to upgrade immediately, applying the official patch manually is recommended. Additionally, implementing custom rate-limiting or lockout mechanisms on the /account/change_password endpoint can reduce the risk of brute-force attacks. Monitoring and alerting on unusual password-change request patterns or spikes in failed attempts can help detect exploitation attempts early. Restricting access to the password-change endpoint via network controls or web application firewalls (WAF) can add an additional layer of defense. Enforcing strong password policies and multi-factor authentication (MFA) for user accounts can mitigate the impact of compromised credentials. Regularly auditing user roles and permissions within OpenProject reduces the risk of privilege escalation. Finally, educating users about phishing and credential security complements technical controls.