OpenProject, an open-source, web-based project management software, has a vulnerability that allows attackers to enumerate user accounts. Specifically, for OpenProject versions from 11.2.1 to before 16.6.2, an unauthenticated POST request to the /account/change_password endpoint can reveal the usernames of registered users. This is due to the endpoint displaying the username on the resulting error page when an arbitrary User ID is provided as the password_change_user_id parameter.
The CVSS score for this vulnerability is 6.9, indicating a medium severity level. The low attack complexity combined with the lack of required privileges for exploitation makes this a significant concern. Organizations using affected versions should be aware of the potential risks associated with user enumeration.
Risk to organizations includes potential exposure of user accounts, which can lead to further attacks, such as phishing or unauthorized access attempts. Given the nature of this vulnerability and its ease of exploitation, organizations should prioritize patching immediately.
This issue has been patched in version 16.6.2 of OpenProject, making it crucial for organizations to update to this version or later to mitigate the risks associated with this vulnerability.
Vulnerability Details
The vulnerability allows for user enumeration by exposing usernames through an unauthenticated endpoint. The critical details of the vulnerability include:
Affected versions: OpenProject 11.2.1 to before 16.6.2.
CWE classification: CWE-200 (Information Exposure).
The vulnerability was published on January 10, 2026, and has been analyzed for its impact and potential exploitation.
Technical Analysis
The root cause of this vulnerability stems from the design of the /account/change_password endpoint, which is accessible without authentication. This design flaw allows attackers to send a POST request with any user ID as a parameter.
The attack vector for this vulnerability is network-based, meaning that it can be exploited remotely. The attack complexity is low, and no privileges are required to exploit this vulnerability. Additionally, user interaction is not necessary, making it straightforward for an attacker to exploit.
The confidentiality impact is low, as the vulnerability does not compromise sensitive information but does expose usernames. There is no impact on integrity or availability.
Risk & Impact Analysis
Organizations using OpenProject should be aware of the risks posed by this vulnerability. The ability to enumerate usernames can lead to targeted phishing attacks, where attackers can impersonate users or gain unauthorized access if they can guess passwords.
The blast radius for this vulnerability is significant, especially for organizations with many users, as it increases the likelihood of successful attacks. Given the medium CVSS score, organizations should address this vulnerability in their priority patch cycle.
Furthermore, the vulnerability is not classified as actively exploited, and there are no known public exploits at this time. However, the potential for exploitation still exists, making prompt remediation essential.
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
OpenProject versions from 11.2.1 to before 16.6.2 are affected. Organizations running these versions should upgrade to version 16.6.2 or later to mitigate the risk associated with this vulnerability.
Mitigation & Remediation
To remediate this vulnerability, organizations should upgrade OpenProject to version 16.6.2 or later. If immediate patching is not possible, consider implementing access controls to the affected endpoint until a patch can be applied.
For further security measures, organizations can consider conducting a comprehensive security assessment. Engaging in application security assessment can help identify and mitigate potential vulnerabilities.
Detection Guidance
To detect potential exploitation attempts, organizations should monitor logs for unusual POST requests to the /account/change_password endpoint. Specific indicators to monitor include:
- Frequency of requests with various user IDs.
- Patterns indicating enumeration attempts.
AppSecure Threat Intelligence Insight
The significance of CVE-2026-22604 lies in its potential to expose user information, which can have broader implications for user privacy and security. This vulnerability represents a pattern of design flaws in web applications that expose sensitive information without proper authentication.
Security teams should take this incident as a reminder to enforce strict access controls on sensitive endpoints and regularly review their applications for similar vulnerabilities. For more insights, consider reading about vulnerability management programs and the importance of proactive security measures.
Organizations should also consider the implementation of penetration testing to identify similar weaknesses in their applications.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)