CVE-2026-24772 in openproject
Summary
by MITRE • 01/28/2026
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability described in CVE-2026-24772 represents a critical authentication bypass flaw within OpenProject's real-time collaboration feature introduced in version 17.0.0. This security weakness stems from improper validation of backend URLs within the synchronization server component that handles document collaboration. The vulnerability operates through a sophisticated attack vector where an attacker can intercept an encrypted authentication token and exploit the lack of proper URL validation to redirect the token to an attacker-controlled endpoint. The synchronization server's design flaw allows it to decrypt tokens using a shared secret and then forward the decrypted authentication token to any backend URL provided by the frontend, creating a pathway for unauthorized access.
The technical implementation of this vulnerability involves multiple layers of security failure that align with CWE-20 validation weaknesses and represent a classic case of insecure deserialization combined with improper input validation. The authentication token generation process itself appears secure as it uses encryption with a shared secret, but the subsequent handling by the synchronization server creates the exploitable condition. The server's failure to validate the backend URL against a whitelist or predefined acceptable endpoints constitutes a critical oversight that enables attackers to manipulate the token forwarding process. This flaw directly relates to ATT&CK technique T1566.001 which involves social engineering through spearphishing with links, as attackers could potentially craft malicious URLs to redirect token requests. The 24-hour validity period of the authentication token provides attackers with sufficient time window to intercept and exploit the vulnerability after initial access.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass full account compromise and unauthorized document manipulation capabilities. An attacker who successfully exploits this vulnerability can effectively impersonate any user within the OpenProject environment, gaining access to all documents and collaboration features that the compromised user has permissions for. This includes the ability to modify documents in real-time, access sensitive project information, and potentially escalate privileges through additional attack vectors. The vulnerability affects all OpenProject installations running version 17.0.0 through 17.0.1, making it particularly concerning for organizations that have not yet applied the security patch released in version 17.0.2. The real-time collaboration feature, while enhancing user experience, became a security liability due to the inadequate validation mechanisms implemented in the synchronization server architecture.
The recommended mitigation strategy involves multiple defensive measures that align with defense-in-depth principles and security best practices. The primary solution is to upgrade to OpenProject version 17.0.2 or later, which contains the necessary patches to address the URL validation vulnerability. Organizations should also implement the temporary workaround of disabling the real-time collaboration feature through the administrative settings, which effectively neutralizes the attack vector while maintaining core functionality. Additionally, the hocuspocus container should be disabled as it represents another potential entry point for attackers to exploit the vulnerability. This multi-layered approach addresses both the immediate security concern and prevents similar issues from arising in other components of the system. The vulnerability serves as a reminder of the importance of validating all external inputs and implementing proper access controls even in seemingly secure authentication flows, particularly when dealing with distributed systems that handle sensitive user data and collaborative workspaces.