Description
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
Published: 2026-01-28
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Forced Actions and Content Spoofing via unchecked ID manipulation
Action: Patch
AI Analysis

Impact

The flaw arises because the BlockNote editor extension for OpenProject fails to enforce that the work package identifier is a numeric value. This omission allows an attacker to embed crafted relative links inside a collaborative document. When a user opens such a document, the client side of OpenProject automatically performs arbitrary GET requests to any URL inside the same instance. The resulting behaviour can trigger forced actions, create misleading or spoofed content, and lead to a persistent denial‑of‑service condition. The weakness is a classic example of insecure input validation (CWE‑345). If a user’s browser issues requests to internal endpoints that perform state‑changing operations, the attacker can exercise unintended control over the system without elevated privileges.

Affected Systems

The affected deployments are OpenProject 17.0.0 and 17.0.1 that include the pre‑patched op‑blocknote‑extensions. The vulnerability is corrected in OpenProject 17.0.2, which ships with op‑blocknote‑extensions v0.0.22, or later releases.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires a malicious document to be opened by a user, making it a user‑involved or “social‑engineering” style exploit.

Generated by OpenCVE AI on April 18, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OpenProject release (17.0.2 or newer) that contains op‑blocknote‑extensions v0.0.22 or later, which fixes the ID validation flaw.
  • If an upgrade is not yet possible, immediately disable collaborative document editing by navigating to Settings → Documents → Real time collaboration and selecting Disable.
  • Monitor your OpenProject logs for unexpected GET requests to internal URLs and consider restricting users from opening untrusted documents until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Wed, 28 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
Title OpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T18:30:29.357Z

Reserved: 2026-01-26T21:06:47.869Z

Link: CVE-2026-24775

cve-icon Vulnrichment

Updated: 2026-01-28T18:30:22.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T19:16:24.927

Modified: 2026-02-12T20:36:00.650

Link: CVE-2026-24775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses