CVE-2026-22604 is an information disclosure vulnerability classified under CWE-200 affecting OpenProject, an open-source web-based project management tool. The flaw exists in versions from 11.2.1 up to but not including 16.6.2. The vulnerability arises because the /account/change_password endpoint, which is accessible without authentication, accepts a POST parameter named password_change_user_id. When an attacker submits this parameter with an arbitrary user ID, the server responds with an error page that includes the username corresponding to that ID. This behavior effectively allows an unauthenticated attacker to enumerate all registered usernames on the OpenProject instance by iterating through user IDs and observing the returned usernames. Such username enumeration can be leveraged to facilitate more sophisticated attacks like credential stuffing, social engineering, or targeted phishing campaigns. The vulnerability impacts confidentiality by exposing sensitive user identity information but does not affect integrity or availability. The CVSS v4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (no authentication or user interaction required) and the limited scope of impact. The issue was publicly disclosed and patched in OpenProject version 16.6.2, which removes the username disclosure from error responses. No known exploits are currently reported in the wild, but the vulnerability presents a clear risk to organizations running vulnerable versions of OpenProject.

For European organizations using vulnerable OpenProject versions, this vulnerability poses a risk primarily to user confidentiality. Exposure of usernames can enable attackers to conduct targeted phishing, social engineering, or brute force attacks against known accounts, potentially leading to unauthorized access if credentials are weak or reused. While the vulnerability does not directly compromise system integrity or availability, the information leakage can be a stepping stone for further attacks that may have more severe consequences. Organizations in sectors relying heavily on project management tools—such as IT, engineering, and government—may face increased risk due to the sensitive nature of project data and collaboration. Additionally, compliance with data protection regulations like GDPR may be impacted if user information is exposed without proper authorization. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and enumeration attempts, especially in environments exposed to the internet.

1. Upgrade OpenProject to version 16.6.2 or later, where the vulnerability is patched and username disclosure is eliminated. 2. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block POST requests to /account/change_password containing the password_change_user_id parameter from untrusted sources. 3. Restrict access to the /account/change_password endpoint to authenticated users only, if possible, via access control configurations or reverse proxy rules. 4. Monitor server logs for unusual enumeration patterns, such as repeated POST requests with varying user IDs to the affected endpoint. 5. Educate users about phishing risks and encourage strong, unique passwords combined with multi-factor authentication to reduce the impact of potential credential-based attacks. 6. Conduct regular security assessments and vulnerability scans to identify outdated OpenProject instances and ensure timely patching. 7. Review and limit publicly exposed user information in error messages and API responses to minimize information leakage.