Cyber Resilience

CVE-2026-24775

Medium

Published: 28 January 2026

Published
28 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
EPSS Score 0.0003 9.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24775 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Openproject Openproject. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24775 is a vulnerability in OpenProject, an open-source web-based project management software. It resides in a custom extension added to the BlockNote-based editor for collaborative documents, introduced in OpenProject version 17.0.0. The extension supports mentioning OpenProject work packages by loading their details via the OpenProject API but does not properly validate the provided work package ID to ensure it is numeric. This flaw enables the creation of relative links that, when the document is opened, trigger arbitrary GET requests to any internal URL within the OpenProject instance.

A low-privileged authenticated user can exploit this vulnerability by generating a collaborative document with a malicious work package mention using a relative URL path instead of a valid numeric ID. Exploitation requires user interaction, as a victim must open the document in the editor, prompting the unauthorized API calls. Successful exploitation yields low integrity impact and high availability impact, with no confidentiality loss, reflected in the CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H).

The issue, tied to CWE-345 (Insufficient Verification of Data Authenticity), was addressed in version 0.0.22 of the op-blocknote-extensions package, which ships with OpenProject 17.0.2. As a temporary measure, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable. Further details appear in the OpenProject security advisory at GHSA-35c6-x276-2pvc and the extension release notes at the v0.0.22 tag.

EU & UK References

Vulnerability details

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show…

more

work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vuln in exposed web app (OpenProject) allows crafted document with malicious mention to trigger arbitrary internal requests on open; directly matches public-facing app exploitation and requires victim user execution of the stored collaborative document.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24772Same product: Openproject Openproject
CVE-2026-34717Same product: Openproject Openproject
CVE-2026-24685Same product: Openproject Openproject
CVE-2026-22601Same product: Openproject Openproject
CVE-2026-30239Same product: Openproject Openproject
CVE-2026-25763Same product: Openproject Openproject
CVE-2026-32698Same product: Openproject Openproject
CVE-2026-32703Same product: Openproject Openproject
CVE-2026-23625Same product: Openproject Openproject
CVE-2026-22600Same product: Openproject Openproject

Affected Assets

openproject
openproject
17.0.0 — 17.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the work-package ID input to ensure it is numeric before any API request is issued, blocking the arbitrary-GET vector.

prevent

Enforces information-flow rules so that only authorized numeric-ID requests to the work-package API are permitted, preventing the crafted relative-URL requests.

prevent

Allows administrators to disable the real-time collaborative editing feature entirely, removing the vulnerable BlockNote extension until patched.

References