Description

OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2.

INFO

Published Date :

2026-01-10T01:07:02.555Z

Last Modified :

2026-01-12T19:16:12.780Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22604 vulnerability.

Vendors Products
Openproject
  • Openproject
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22604.

URL Resource
https://github.com/opf/openproject/commit/2cff5e98649e32a197a62659a23dd4b864b7855b cve-icon cve-icon
https://github.com/opf/openproject/pull/3451 cve-icon cve-icon
https://github.com/opf/openproject/releases/tag/v16.6.2 cve-icon cve-icon
https://github.com/opf/openproject/security/advisories/GHSA-q7qp-p3vw-j2fh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability