CVE-2026-33667: CWE-307: Improper Restriction of Excessive Authentication Attempts in opf openproject
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.
AI Analysis
Technical Summary
CVE-2026-33667 describes an improper restriction of excessive authentication attempts (CWE-307) in OpenProject's two_factor_authentication module before version 17.3.0. The confirm_otp action lacks rate limiting and lockout mechanisms for 2FA OTP verification, and the brute_force_block_after_failed_logins setting only applies to password failures, not 2FA. Because the TOTP drift window allows multiple valid codes and attempts can be made at 5-10 per second, an attacker with a known password can brute-force the 6-digit OTP in about 11 hours, bypassing 2FA protections. Backup code verification is similarly affected. This vulnerability was addressed in OpenProject 17.3.0.
Potential Impact
An attacker who has obtained a user's password can bypass the two-factor authentication mechanism by brute-forcing the 6-digit TOTP or backup codes due to the lack of rate limiting and lockout on the 2FA verification stage. This leads to a complete compromise of the affected account's confidentiality and integrity. There is no indication of availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade OpenProject to version 17.3.0 or later, where this vulnerability has been fixed by implementing proper rate limiting and lockout mechanisms on 2FA OTP verification. Until upgrading, be aware that accounts with known passwords are vulnerable to 2FA bypass via brute force. Patch status is not explicitly stated in vendor advisory content but the fix is included in version 17.3.0.
CVE-2026-33667: CWE-307: Improper Restriction of Excessive Authentication Attempts in opf openproject
Description
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33667 describes an improper restriction of excessive authentication attempts (CWE-307) in OpenProject's two_factor_authentication module before version 17.3.0. The confirm_otp action lacks rate limiting and lockout mechanisms for 2FA OTP verification, and the brute_force_block_after_failed_logins setting only applies to password failures, not 2FA. Because the TOTP drift window allows multiple valid codes and attempts can be made at 5-10 per second, an attacker with a known password can brute-force the 6-digit OTP in about 11 hours, bypassing 2FA protections. Backup code verification is similarly affected. This vulnerability was addressed in OpenProject 17.3.0.
Potential Impact
An attacker who has obtained a user's password can bypass the two-factor authentication mechanism by brute-forcing the 6-digit TOTP or backup codes due to the lack of rate limiting and lockout on the 2FA verification stage. This leads to a complete compromise of the affected account's confidentiality and integrity. There is no indication of availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade OpenProject to version 17.3.0 or later, where this vulnerability has been fixed by implementing proper rate limiting and lockout mechanisms on 2FA OTP verification. Until upgrading, be aware that accounts with known passwords are vulnerable to 2FA bypass via brute force. Patch status is not explicitly stated in vendor advisory content but the fix is included in version 17.3.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T15:23:42.220Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfe0a382d89c981f8dff94
Added to database: 4/15/2026, 7:01:55 PM
Last enriched: 4/15/2026, 7:17:03 PM
Last updated: 4/16/2026, 6:20:05 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.