CVE-2026-22604

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22604

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22604.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22604

Aliases

GHSA-q7qp-p3vw-j2fh

Published

2026-01-10T01:07:02.555Z

Modified

2026-03-01T02:56:36.844372Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenProject is vulnerable to user enumeration via the change password function

Details

OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22604.json"
}

References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type: GIT
Repo: https://github.com/opf/openproject
Events: Introduced

6fcf441390591a1e45265d65f75aa48f543c0a75

Fixed

9448e4de16916af11f599c90f0f9761ada05ff09

Affected versions

11.*

11.2.1

v11.*

v11.2.1

v11.2.2

v11.2.3

v11.2.4

v16.*

v16.0.0

v16.0.1

v16.1.0

v16.1.1

v16.2.0

v16.2.1

v16.2.2

v16.3.0

v16.3.1

v16.3.2

v16.4.0

v16.4.1

v16.5.0

v16.5.1

v16.6.0

v16.6.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22604.json"