CVE-2026-22604 is an information disclosure vulnerability classified under CWE-200 affecting OpenProject, an open-source web-based project management software. The issue exists in versions from 11.2.1 up to but not including 16.6.2. The vulnerability arises because the /account/change_password endpoint, which is accessible without authentication, accepts a POST request containing a password_change_user_id parameter. When an attacker submits an arbitrary user ID, the resulting error page reveals the username associated with that ID. This behavior allows an unauthenticated attacker to enumerate all usernames registered on the OpenProject instance. Username enumeration is a critical reconnaissance step that can facilitate further attacks such as credential stuffing, brute-force password attacks, or social engineering. The vulnerability does not require any privileges or user interaction, making it easier to exploit remotely. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges required, no user interaction, and limited impact confined to confidentiality. The vulnerability was publicly disclosed on January 10, 2026, and has been patched in OpenProject version 16.6.2. No known exploits have been reported in the wild to date. Organizations running affected versions should prioritize upgrading to the patched release to prevent potential exploitation.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality. The exposure of valid usernames can enable attackers to perform targeted attacks such as phishing campaigns, credential stuffing, or brute-force password attempts, potentially leading to unauthorized access if weak or reused passwords are present. Organizations in sectors with sensitive project data, such as government, finance, healthcare, and critical infrastructure, may face increased risk if attackers leverage username enumeration to compromise accounts. Although the vulnerability does not directly impact system integrity or availability, the indirect consequences of account compromise can be severe, including data breaches and operational disruptions. Since OpenProject is used widely across Europe for project management, especially in public sector and enterprise environments, the scope of affected systems is significant. Prompt patching is essential to mitigate these risks. The lack of authentication requirement and ease of exploitation increase the likelihood of reconnaissance activities by attackers scanning for vulnerable instances.

European organizations should immediately upgrade OpenProject installations to version 16.6.2 or later, where this vulnerability is patched. If immediate upgrading is not feasible, organizations should implement access controls to restrict unauthenticated access to the /account/change_password endpoint, such as web application firewalls (WAFs) with custom rules to block suspicious POST requests containing the password_change_user_id parameter. Monitoring and logging of access to this endpoint should be enhanced to detect enumeration attempts. Additionally, organizations should enforce strong password policies and multi-factor authentication (MFA) to reduce the risk of account compromise even if usernames are exposed. Security awareness training should include phishing and social engineering defenses, given the increased risk from username disclosure. Regular vulnerability scanning and penetration testing can help identify any residual exposure. Finally, organizations should maintain an inventory of OpenProject versions deployed across their environment to ensure timely patch management.