CVE-2026-44733 opf CVE debrief

Who should care

Administrators and users of OpenProject versions prior to 17.3.2 and 17.4.0 should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version and monitoring for any suspicious activity. Additionally, users should be cautious when using public computers or unsecured networks to access OpenProject.

Technical summary

CVE-2026-44733 is a business logic error in OpenProject that allows attackers to bypass password requirements. The vulnerability exists in the change password behavior and can be exploited through a PATCH request to /api/v3/users/me. An attacker would need an active session takeover to exploit this vulnerability. The CVSS score for this vulnerability is 5.9, indicating a medium level of severity. The vulnerability has been fixed in OpenProject versions 17.3.2 and 17.4.0.

Defensive priority

Defenders should prioritize patching OpenProject instances to versions 17.3.2 or 17.4.0. In addition to patching, defenders should monitor for suspicious activity, such as unusual login attempts or changes to user accounts.

Recommended defensive actions

• Update OpenProject to version 17.3.2 or 17.4.0
• Monitor for suspicious activity, such as unusual login attempts or changes to user accounts
• Implement additional security measures, such as multi-factor authentication
• Conduct regular security audits and vulnerability assessments
• Educate users on the importance of password security and best practices

Evidence notes

The CVE-2026-44733 vulnerability was reported through the National Vulnerability Database (NVD) and is classified as a business logic error. The vulnerability has a CVSS score of 5.9 and is considered medium severity. The vulnerability was fixed in OpenProject versions 17.3.2 and 17.4.0. Limited information is available on potential exploits or attacks.

Official resources