CVE-2026-24772
CVE-2026-24772 is a high-severity vulnerability in Openproject with a CVSS 3.x base score of 8.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-345.
Key facts
- Severity: High (CVSS 3.x base score 8.9)
- EPSS exploit prediction: 0% (5th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-4877
- Weakness: CWE-345
- Affected product: Openproject
- Published:
- Last modified:
Description
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
Frequently asked questions
- What is CVE-2026-24772?
- OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
- How severe is CVE-2026-24772?
- CVE-2026-24772 has a CVSS 3.x base score of 8.9, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability low.
- Is CVE-2026-24772 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (5th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-24772?
- CVE-2026-24772 affects Openproject. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-24772?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-24772 have an EU (EUVD) identifier?
- Yes. CVE-2026-24772 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4877.
- When was CVE-2026-24772 published?
- CVE-2026-24772 was published on 2026-01-28 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
More vulnerabilities in Openproject
- CVE-2026-34717 — Critical (CVSS 9.9): OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in…
- CVE-2026-25763 — Critical (CVSS 9.9): OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary…
- CVE-2026-32698 — Critical (CVSS 9.1): OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and…
- CVE-2026-22600 — Critical (CVSS 9.1): OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in…
- CVE-2026-32703 — Critical (CVSS 9.0): OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and…
- CVE-2026-24685 — High (CVSS 8.8): OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an…
All CVEs affecting Openproject →
Other CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities
- CVE-2026-35051 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an…
- CVE-2014-8165 — Critical (CVSS 10.0): scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote…
- CVE-2026-50195 — Critical (CVSS 9.9): containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the…
- CVE-2022-36130 — Critical (CVSS 9.9): HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated…
- CVE-2026-50214 — Critical (CVSS 9.8): The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing…
- CVE-2025-15385 — Critical (CVSS 9.8): Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows…
Browse all CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities →