CVE-2026-24775
Published: 28 January 2026
Summary
CVE-2026-24775 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Openproject Openproject. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24775 is a vulnerability in OpenProject, an open-source web-based project management software. It resides in a custom extension added to the BlockNote-based editor for collaborative documents, introduced in OpenProject version 17.0.0. The extension supports mentioning OpenProject work packages by loading their details via the OpenProject API but does not properly validate the provided work package ID to ensure it is numeric. This flaw enables the creation of relative links that, when the document is opened, trigger arbitrary GET requests to any internal URL within the OpenProject instance.
A low-privileged authenticated user can exploit this vulnerability by generating a collaborative document with a malicious work package mention using a relative URL path instead of a valid numeric ID. Exploitation requires user interaction, as a victim must open the document in the editor, prompting the unauthorized API calls. Successful exploitation yields low integrity impact and high availability impact, with no confidentiality loss, reflected in the CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H).
The issue, tied to CWE-345 (Insufficient Verification of Data Authenticity), was addressed in version 0.0.22 of the op-blocknote-extensions package, which ships with OpenProject 17.0.2. As a temporary measure, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable. Further details appear in the OpenProject security advisory at GHSA-35c6-x276-2pvc and the extension release notes at the v0.0.22 tag.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4878
Vulnerability details
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show…
more
work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in exposed web app (OpenProject) allows crafted document with malicious mention to trigger arbitrary internal requests on open; directly matches public-facing app exploitation and requires victim user execution of the stored collaborative document.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the work-package ID input to ensure it is numeric before any API request is issued, blocking the arbitrary-GET vector.
Enforces information-flow rules so that only authorized numeric-ID requests to the work-package API are permitted, preventing the crafted relative-URL requests.
Allows administrators to disable the real-time collaborative editing feature entirely, removing the vulnerable BlockNote extension until patched.