Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network. This vulnerability is fixed in 17.2.0.
Published: 2026-03-11
Score: 3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Internal network enumeration via blind SSRF
Action: Patch
AI Analysis

Impact

OpenProject allows a user to send arbitrary HTTP requests through its SMTP test endpoint and webhook feature, creating blind SSRF opportunities. The system responds differently when a target IP address exists or a specified port is reachable, providing timing and error cues that an attacker can observe. By exploiting these observable differences, an attacker can map internal hosts and discover which services or ports are available inside the network, exposing sensitive internal topology information without directly reading data from services.

Affected Systems

Versions of OpenProject before 17.2.0 are affected. The vulnerability surfaces in the SMTP test endpoint (POST /admin/settings/mail_notifications) and the webhook creation interface, enabling requests to arbitrary IP addresses and ports. All affected releases share the same flaw, as listed by the vendor. Upgrading to 17.2.0 or later removes the flaw.

Risk and Exploitability

The base severity score of 3.0 indicates low overall risk, and the estimated exploitation likelihood is below 1%, suggesting that widespread attacks are unlikely. The flaw does not appear in the federal catalog of known exploited vulnerabilities. The attack requires an attacker to have access to the OpenProject instance, either via authenticated user privileges or a compromised account, making the vector internal and limited to authorized users. Consequently, the risk is primarily to confidentiality of internal network topology rather than direct data theft or code execution.

Generated by OpenCVE AI on March 23, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenProject 17.2.0 or newer
  • If an upgrade cannot be performed immediately, restrict OpenProject outbound traffic or block webhook URLs to prevent external requests
  • Limit user permissions to disable the ability to create webhooks or execute SMTP test actions

Generated by OpenCVE AI on March 23, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Vendors & Products Openproject
Openproject openproject

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Wed, 11 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network. This vulnerability is fixed in 17.2.0.
Title Blind SSRF on OpenProject instance via webhooks
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Openproject Openproject
Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:55:19.387Z

Reserved: 2026-03-10T15:40:10.486Z

Link: CVE-2026-31974

cve-icon Vulnrichment

Updated: 2026-03-12T19:55:15.714Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:17.280

Modified: 2026-03-23T14:25:54.067

Link: CVE-2026-31974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:56Z

Weaknesses