OpenProject 2FA Bypass: Brute-Force Vulnerability Uncovered

/HIGH
SCW vulnerabilitycvehigh-severitycwe-307
OpenProject 2FA Bypass: Brute-Force Vulnerability Uncovered

A significant vulnerability, tracked as CVE-2026-33667, has been identified in OpenProject, an open-source project management application. According to the National Vulnerability Database, versions prior to 17.3.0 are susceptible to a 2FA bypass due to a critical oversight in the two-factor authentication module. Specifically, the confirm_otp action lacks any rate limiting, lockout mechanisms, or failed-attempt tracking for OTP verification.

The National Vulnerability Database highlighted that OpenProject’s existing brute-force blocking only applies to password login failures, completely ignoring the 2FA verification stage. This means an attacker who already possesses a user’s password can brute-force the 6-digit TOTP code. With a default TOTP drift window of ±60 seconds, allowing for approximately five valid codes at any given time, a determined attacker could theoretically attempt 5-10 codes per second, potentially cracking the 2FA in about 11 hours. This issue also extends to backup code verification, effectively neutralizing the protection 2FA is meant to provide. The vulnerability carries a CVSS score of 7.4 (HIGH) and has been patched in version 17.3.0.

Related ATT&CK Techniques

T1110.003 Password Guessing: Brute Force Credential Access T1078.004 Valid Accounts: Cloud Accounts Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1078.004 Initial Access

Credential Abuse from Breached Vendor — CVE-2026-33667

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

3 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33667 Auth Bypass OpenProject versions prior to 17.3.0
CVE-2026-33667 Auth Bypass 2FA OTP verification in confirm_otp action of two_factor_authentication module
CVE-2026-33667 Auth Bypass Brute-force vulnerability on 6-digit TOTP code and backup code verification

By Shimi's Cyber World Editorial

Related Posts

Composer Command Injection: Malicious Repositories are a New Vector

CVE-2026-40261 — Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase()...

vulnerabilityCVEhigh-severitycommand-injectioncwe-20cwe-78
/HIGH /⚑ 5 IOCs

CVE-2026-40186 — Non-Default Configurations Where Option Or Textarea Are Incl Cross-Site Scripting (XSS)

CVE-2026-40186 — ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package...

vulnerabilityCVEcross-site-scripting-xss-cwe-79
/MEDIUM /⚑ 2 IOCs

Critical Dgraph Flaw Leaks Admin Tokens, Bypassing Authentication

CVE-2026-40173 — Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is...

vulnerabilityCVEcriticalhigh-severitycwe-200cwe-215
/CRITICAL /⚑ 4 IOCs