CVE-2026-22604
MEDIUMOpenProject 11.2.1-16.6.1 - Unauthenticated Username Enumeration via Password Change Endpoint
Title source: llmDescription
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/opf/openproject/security/advisories/GHSA-q7qp-p3vw-j2fh
Issue Tracking x_refsource_misc
https://github.com/opf/openproject/pull/3451
Patch x_refsource_misc
https://github.com/opf/openproject/commit/2cff5e98649e32a197a62659a23dd4b864b7855b
Release Notes x_refsource_misc
https://github.com/opf/openproject/releases/tag/v16.6.2
Scores
CVSS v3
5.3
EPSS
0.0025
EPSS Percentile
16.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (1)
openproject/openproject
11.2.1 - 16.6.2
Published
Jan 10, 2026
Tracked Since
Feb 18, 2026