Description
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
Published: 2026-01-28
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via server-side request forgery
Action: Immediate Patch
AI Analysis

Impact

OpenProject’s synchronization server in version 17.0.0 introduced an endpoint that accepts a user‑supplied backend URL without proper validation. When a client sends a request containing an encrypted authentication token, the server decrypts the token and forwards the request to the supplied URL. An attacker who can obtain an intercepted token can exploit this flaw to cause the synchronization server to decrypt the token and obtain a valid access token, effectively allowing the attacker to act on the victim’s behalf. This flaw represents a CWE‑345 server‑side request forgery and can lead to unauthorized account access and potential data leakage.

Affected Systems

The vulnerability exists in OpenProject 17.0.0 through 17.0.1. It is resolved in 17.0.2. Affected systems are installations of the OpenProject web application and the accompanying Hocuspocus synchronization container that are configured to enable real‑time collaboration.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity, but the EPSS score is less than 1 %, suggesting a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would first need a way to obtain or guess a token, either by interception or phishing. Once the token is available, the flaw allows the server to decrypt it and use the resulting access token against the target OpenProject instance. Based on the description, the likely attack vector involves an authenticated but unauthorized user or a malicious party that can manipulate the backend URL parameter. This defers the need for higher privileges on the target system, making the exploit relatively straightforward for attackers who can gather a token.

Generated by OpenCVE AI on April 18, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade OpenProject to version 17.0.2 or later
  • Disable real‑time collaboration in Settings → Documents → Real time collaboration → Disable
  • Stop or restrict the hocuspocus synchronization container from accepting external requests

Generated by OpenCVE AI on April 18, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Wed, 28 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
Title OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T18:31:44.037Z

Reserved: 2026-01-26T21:06:47.868Z

Link: CVE-2026-24772

cve-icon Vulnrichment

Updated: 2026-01-28T18:31:32.581Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T19:16:24.763

Modified: 2026-02-12T20:41:11.210

Link: CVE-2026-24772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses