CVE-2026-24772

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.

CVSS v3 8.9 HIGH

8.9^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/opf/openproject/security/advisories/GHSA-r854-p5qj-x974

Configurations

No configuration.

History

28 Jan 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-28 19:16

Updated : 2026-01-29 16:31

NVD link : CVE-2026-24772

Mitre link : CVE-2026-24772

CVE.ORG link : CVE-2026-24772

JSON object : View

Products Affected

No product.

CWE

CWE-345

Insufficient Verification of Data Authenticity

8.9 /10