CVE Catalog

CVE-2026-44733

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

In OpenProject prior to versions 17.3.2 and 17.4.0, a business logic error in the password change mechanism allows bypassing password strength requirements via a PATCH request to /api/v3/users/me. An attacker with an active session takeover can change a user's password to a weak one.

Risk Assessment

The risk is that an attacker who has taken over an active session can set a weak password, facilitating further unauthorized access to the account and potentially to sensitive project data.

Recommendation

Immediately update OpenProject to version 17.3.2 or 17.4.0, which fixes this vulnerability. After updating, consider forcing all users to change their passwords.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover. This vulnerability is fixed in 17.3.2 and 17.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS