CVE-2026-24772
📋 TL;DR
OpenProject's synchronization server improperly validates backend URLs, allowing attackers to decrypt intercepted authentication tokens and gain unauthorized access to user accounts. This affects OpenProject 17.0.0 through 17.0.1 installations with the real-time collaboration feature enabled. Attackers can impersonate victims and perform actions on their behalf within the project management system.
💻 Affected Systems
- OpenProject
📦 What is this software?
Openproject by Openproject
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover allowing attackers to access, modify, or delete sensitive project data, impersonate users in communications, and potentially pivot to other systems if the compromised account has elevated privileges.
Likely Case
Unauthorized access to project documents and data, potential data theft or modification, and privilege escalation within the OpenProject environment.
If Mitigated
Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible if tokens are intercepted.
🎯 Exploit Status
Requires token interception through other means (man-in-the-middle, network sniffing) before exploiting the URL validation flaw. The synchronization server must be accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.2
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-r854-p5qj-x974
Restart Required: Yes
Instructions:
1. Backup your OpenProject installation and database. 2. Update OpenProject to version 17.0.2 or later using your package manager or deployment method. 3. Restart all OpenProject services including the hocuspocus container if still enabled.
🔧 Temporary Workarounds
Disable Real-time Collaboration
allDisables the vulnerable synchronization server feature entirely
Navigate to Settings -> Documents -> Real time collaboration -> Disable
Stop Hocuspocus Container
linuxStops the vulnerable synchronization server container
docker stop hocuspocus
systemctl stop hocuspocus
🧯 If You Can't Patch
- Disable the real-time collaboration feature immediately via the web interface
- Block network access to the hocuspocus synchronization server at the firewall level
🔍 How to Verify
Check if Vulnerable:
Check if OpenProject version is between 17.0.0 and 17.0.1 and real-time collaboration is enabled in Settings -> DocumentsCheck Version:
openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'Verify Fix Applied:
Confirm OpenProject version is 17.0.2 or later and test that real-time collaboration functions without exposing authentication tokens📡 Detection & Monitoring
Log Indicators:
- Unusual authentication token usage patterns
- Requests to unexpected backend URLs from synchronization server
- Failed authentication attempts with valid tokens
Network Indicators:
- Unusual traffic between synchronization server and non-standard backend endpoints
- Token interception attempts in network traffic
SIEM Query:
source="openproject" AND ("authentication token" OR "hocuspocus") AND (url_validation="failed" OR backend_url!="expected_domain")