cvedb.io
CVE-2026-33667
HIGH · CVSS 7.4
EPSS exploitation probability: 0%
Published 2026-04-15T19:16:35.603 · Last modified 2026-06-17T10:37:53.573

Summary

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability

Affected products

openproject — openproject

Does this affect you?

Add your gear to cvedb and we'll alert you only when openproject ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.