Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Session prerequisite justifies AC:H and PR:L; permanent credential change warrants I:H over the original I:L; no availability impact applies.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover. This vulnerability is fixed in 17.3.2 and 17.4.0.
AnalysisAI
Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to first possess a valid, active session token for the target OpenProject user account - the CVE description explicitly states the flaw is only exploitable 'with an active session takeover,' which is corroborated by the CVSS AC:H and PR:L ratings. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N scores 5.9 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has captured a victim's active session token - for example via an XSS vulnerability, session fixation, or a stolen cookie - sends a crafted PATCH request to /api/v3/users/me with a new password value but without supplying the current password. Because the server fails to enforce old-password verification, the password is accepted and changed, locking out the legitimate user and granting the attacker durable account access even after the original session token expires. … |
| Remediation | Upgrade OpenProject to version 17.3.2 or 17.4.0, both confirmed as fixed releases by the vendor advisory at https://github.com/opf/openproject/security/advisories/GHSA-px7f-cj9f-7m4m. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allA SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi
OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Same weakness CWE-620 – Unverified Password Change
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39861