CVE-2026-33667
Published: 15 April 2026
Summary
CVE-2026-33667 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AU-12 (Audit Record Generation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-7 enforces limits on consecutive invalid logon attempts with automatic account lockout or delays, directly preventing brute-force exploitation of the 2FA OTP and backup code verification lacking rate limiting.
IA-5 requires management and protection of authenticators like TOTP codes with sufficient strength against brute-force attacks through procedural controls.
AU-12 mandates audit records for unsuccessful logon attempts, enabling detection of brute-force activity during 2FA verification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing rate limiting and lockout on 2FA OTP/backup code verification directly enables brute force guessing of the second factor (T1110) after password knowledge; as a remotely accessible web app vulnerability, it also facilitates exploitation for initial access (T1190).
NVD Description
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login…
more
failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.
Deeper analysisAI
CVE-2026-33667 is a vulnerability in OpenProject, an open-source project management application, affecting versions prior to 17.3.0. It impacts the confirm_otp action within the two_factor_authentication module, where 2FA OTP verification lacks rate limiting, lockout mechanisms, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only applies to password login failures and does not extend to the 2FA verification stage, as the fail_login and stage_failure methods do not increment counters, lock accounts, or introduce delays.
An attacker who knows a user's password can exploit this over the network by brute-forcing the 6-digit TOTP code at roughly 5-10 attempts per second, leveraging the default TOTP drift window of ±60 seconds that allows approximately 5 valid codes at any time, with an expected completion time of about 11 hours. The same flaw applies to backup code verification, enabling complete 2FA bypass and full account compromise with high confidentiality and integrity impact. The vulnerability carries a CVSS score of 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts).
OpenProject has fixed this issue in version 17.3.0. Additional details on the vulnerability and mitigation are provided in the GitHub security advisory at https://github.com/opf/openproject/security/advisories/GHSA-234r-45m2-w6cv.
Details
- CWE(s)