CVE-2026-24775
Published: 28 January 2026
Summary
CVE-2026-24775 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Openproject Openproject. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.
Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.
Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.
Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.
Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.
Time synchronization supports reliable freshness verification when checking data authenticity across systems or components.
Mandates verification of data authenticity for software, firmware, and information.
Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in exposed web app (OpenProject) allows crafted document with malicious mention to trigger arbitrary internal requests on open; directly matches public-facing app exploitation and requires victim user execution of the stored collaborative document.
NVD Description
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show…
more
work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
Deeper analysisAI
CVE-2026-24775 is a vulnerability in OpenProject, an open-source web-based project management software. It resides in a custom extension added to the BlockNote-based editor for collaborative documents, introduced in OpenProject version 17.0.0. The extension supports mentioning OpenProject work packages by loading their details via the OpenProject API but does not properly validate the provided work package ID to ensure it is numeric. This flaw enables the creation of relative links that, when the document is opened, trigger arbitrary GET requests to any internal URL within the OpenProject instance.
A low-privileged authenticated user can exploit this vulnerability by generating a collaborative document with a malicious work package mention using a relative URL path instead of a valid numeric ID. Exploitation requires user interaction, as a victim must open the document in the editor, prompting the unauthorized API calls. Successful exploitation yields low integrity impact and high availability impact, with no confidentiality loss, reflected in the CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H).
The issue, tied to CWE-345 (Insufficient Verification of Data Authenticity), was addressed in version 0.0.22 of the op-blocknote-extensions package, which ships with OpenProject 17.0.2. As a temporary measure, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable. Further details appear in the OpenProject security advisory at GHSA-35c6-x276-2pvc and the extension release notes at the v0.0.22 tag.
Details
- CWE(s)