Primary

Context

OpenProject User Enumeration Vulnerability via Change Password Endpoint

Vulnerability

Patched

A user enumeration vulnerability has been identified in OpenProject versions 11.2.1 prior to 16.6.2. When an unauthenticated user sends a POST request to the /account/change_password endpoint with a specified User ID in the password_change_user_id parameter, the response includes the username of the requested user. This flaw allows for the enumeration of usernames across all accounts registered in the OpenProject instance.

Impact

Exploitation of this vulnerability allows for the enumeration of usernames of all accounts registered in the OpenProject instance.

Reproduction

To reproduce this vulnerability, send a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter. The response will include the username associated with the specified User ID.

Remediation

Users should upgrade to OpenProject version 16.6.2 or 17.0.0.

Added: Jan 10, 2026, 2:22 AM

Updated: Jan 10, 2026, 2:22 AM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

9.1

remediation

7.7

relevance

2.0

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

9.1

remediation

7.7

relevance

2.0

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject User Enumeration Vulnerability via Change Password Endpoint

Vulnerability

Impact

Reproduction

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating