CVE-2026-24775 – OpenProject versions 17.0.0-17.0.1 contain a se... (How to Fix)

Q: What is the severity of CVE-2026-24775?

CVE-2026-24775 has a CVSS score of 6.3 (MEDIUM). OpenProject versions 17.0.0-17.0.1 contain a server-side request forgery (SSRF) vulnerability in the collaborative document editor. Attackers can craft documents with malicious work package IDs that trigger arbitrary GET requests to internal OpenProject endpoints. All OpenProject instances with collaborative document editing enabled are affected.

📋 TL;DR

OpenProject versions 17.0.0-17.0.1 contain a server-side request forgery (SSRF) vulnerability in the collaborative document editor. Attackers can craft documents with malicious work package IDs that trigger arbitrary GET requests to internal OpenProject endpoints. All OpenProject instances with collaborative document editing enabled are affected.

💻 Affected Systems

Products:

OpenProject

Versions: 17.0.0 through 17.0.1

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when collaborative document editing is enabled (default in affected versions).

📦 What is this software?

Openproject by Openproject

View all CVEs affecting Openproject →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal APIs, retrieve confidential data, or pivot to internal systems if OpenProject has network access to other services.

🟠

Likely Case

Unauthorized access to internal OpenProject API endpoints, potentially exposing work package details, user information, or project data.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal internal API exposure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires user to open a malicious document, but exploitation is straightforward once document is accessed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 17.0.2

Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvc

Restart Required: Yes

Instructions:

1. Update OpenProject to version 17.0.2 or later. 2. Restart the OpenProject service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable collaborative document editing

all

Temporarily disable the vulnerable feature until patching is possible

Navigate to Settings -> Documents -> Real time collaboration -> Disable

🧯 If You Can't Patch

Disable collaborative document editing immediately
Implement network segmentation to limit OpenProject's internal network access

🔍 How to Verify

Check if Vulnerable:

Check OpenProject version via web interface or command line. Versions 17.0.0-17.0.1 are vulnerable.

Check Version:

openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'

Verify Fix Applied:

Confirm OpenProject version is 17.0.2 or later and op-blocknote-extensions is version 0.0.22 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual API requests from document editor
Requests to unexpected endpoints with work package IDs

Network Indicators:

Unusual internal API traffic patterns from OpenProject instance

SIEM Query:

source="openproject" AND (uri_path="/api/v3/work_packages/*" OR user_agent="BlockNote") AND status=200

📊 Metadata

CVE ID: CVE-2026-24775

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-345

EPSS Score: 0.02% exploit probability (3.3th percentile)

Published: January 28, 2026

Last Updated: February 12, 2026

🔗 References

https://github.com/opf/op-blocknote-extensions/releases/tag/v0.0.22 Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvc Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24775, you might also want to check these: