Cyber Resilience

CVE-2026-33667

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0008 23.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33667 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AU-12 (Audit Record Generation).

Deeper analysis

CVE-2026-33667 is a vulnerability in OpenProject, an open-source project management application, affecting versions prior to 17.3.0. It impacts the confirm_otp action within the two_factor_authentication module, where 2FA OTP verification lacks rate limiting, lockout mechanisms, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only applies to password login failures and does not extend to the 2FA verification stage, as the fail_login and stage_failure methods do not increment counters, lock accounts, or introduce delays.

An attacker who knows a user's password can exploit this over the network by brute-forcing the 6-digit TOTP code at roughly 5-10 attempts per second, leveraging the default TOTP drift window of ±60 seconds that allows approximately 5 valid codes at any time, with an expected completion time of about 11 hours. The same flaw applies to backup code verification, enabling complete 2FA bypass and full account compromise with high confidentiality and integrity impact. The vulnerability carries a CVSS score of 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts).

OpenProject has fixed this issue in version 17.3.0. Additional details on the vulnerability and mitigation are provided in the GitHub security advisory at https://github.com/opf/openproject/security/advisories/GHSA-234r-45m2-w6cv.

EU & UK References

Vulnerability details

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login…

more

failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The missing rate limiting and lockout on 2FA OTP/backup code verification directly enables brute force guessing of the second factor (T1110) after password knowledge; as a remotely accessible web app vulnerability, it also facilitates exploitation for initial access (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-67853Shared CWE-307
CVE-2026-33640Shared CWE-307
CVE-2026-8760Shared CWE-307
CVE-2025-12995Shared CWE-307
CVE-2026-25945Shared CWE-307
CVE-2026-26305Shared CWE-307
CVE-2026-32729Shared CWE-307
CVE-2025-14362Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2025-63807Shared CWE-307

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 enforces limits on consecutive invalid logon attempts with automatic account lockout or delays, directly preventing brute-force exploitation of the 2FA OTP and backup code verification lacking rate limiting.

prevent

IA-5 requires management and protection of authenticators like TOTP codes with sufficient strength against brute-force attacks through procedural controls.

detect

AU-12 mandates audit records for unsuccessful logon attempts, enabling detection of brute-force activity during 2FA verification.

References