It was just announced on the WordPress development blog that 2.6.2 has been released. If you allow user registration, it’s highly recommended you upgrade immediately.

In versions 2.6.1 and earlier, it’s possible for one to create a username that is then able change the password of another user. Although this randomly generated password isn’t revealed to the attacker, it’s still an annoyance if your password gets randomly changed constantly.

Anyway, go ahead and upgrade WordPress ASAP, especially if you have open registration enabled.