CVE-2026-24775

CVE-2026-24775 is a medium-severity vulnerability in Openproject with a CVSS 3.x base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-345.

Key facts

Description

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.

Frequently asked questions

What is CVE-2026-24775?
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
How severe is CVE-2026-24775?
CVE-2026-24775 has a CVSS 3.x base score of 6.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity low, and availability high.
Is CVE-2026-24775 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (1st percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-24775?
CVE-2026-24775 affects Openproject. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-24775?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-24775 have an EU (EUVD) identifier?
Yes. CVE-2026-24775 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4878.
When was CVE-2026-24775 published?
CVE-2026-24775 was published on 2026-01-28 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Openproject

All CVEs affecting Openproject →

Other CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities

Browse all CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities →