CVE-2026-22604
low-risk
Published 2026-01-10
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2.
Do I need to act?
-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (4)
Issue Tracking
https://github.com/opf/openproject/pull/3451
Release Notes
https://github.com/opf/openproject/releases/tag/v16.6.2
26
/ 100
low-risk
Severity
21/34 · High
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal