CVE-2026-24772
Published: 28 January 2026
Summary
CVE-2026-24772 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Openproject Openproject. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the backend URL input to the synchronization server, preventing it from sending decrypted authentication tokens to attacker-controlled endpoints.
Enforces information flow control policies to restrict the synchronization server from directing requests containing decrypted tokens only to approved backend destinations.
Filters information output from the synchronization server to block transmission of decrypted authentication tokens to unauthorized backend URLs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing OpenProject sync server allows token leakage via malicious backend URL (insufficient validation), directly enabling T1190 (exploit public-facing app) for initial access and T1528 (steal application access token) to obtain valid auth material for impersonation.
NVD Description
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a…
more
shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
Deeper analysisAI
CVE-2026-24772 is a vulnerability in OpenProject, an open-source web-based project management software, specifically affecting the synchronization server introduced in version 17.0.0 for real-time collaboration on documents. The backend generates a 24-hour authentication token, encrypts it with a shared secret known only to the synchronization server, and passes the encrypted token along with the backend URL to the server for user validation and intermittent saves during editing. The synchronization server fails to properly validate the provided backend URL, instead decrypting the token and sending it in a request to the specified endpoint.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) but requires user interaction (UI:R), such as tricking a victim into using a collaboration feature with a malicious backend URL. By intercepting an encrypted token through other means and controlling the backend URL passed to the synchronization server, the attacker receives the decrypted authentication token in the server's request. This allows the attacker to obtain a valid access token, enabling high confidentiality and integrity impacts (C:H/I:H) by interacting with OpenProject on the victim's behalf, with changed scope (S:C) and low availability impact (A:L), as reflected in the CVSS 3.1 score of 8.9 (CWE-345).
The vulnerability was fixed in OpenProject 17.0.2. As a workaround, administrators can disable the real-time collaboration feature via Settings -> Documents -> Real time collaboration -> Disable, and also disable the hocuspocus container. Additional details are available in the advisory at https://github.com/opf/openproject/security/advisories/GHSA-r854-p5qj-x974.
Details
- CWE(s)