CVE-2026-24772
Authentication Token Decryption via URL Validation Flaw in OpenProject
Publication date: 2026-01-28
Last updated on: 2026-02-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | From 17.0.0 (inc) to 17.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenProject 17.0.0 where the synchronization server does not properly validate the backend URL. The backend generates an authentication token valid for 24 hours, encrypts it, and sends it to the synchronization server along with the backend URL. The server then decrypts the token and sends a request to the given backend URL without proper validation. An attacker who intercepts an encrypted token can exploit this flaw to decrypt the token and gain an access token to interact with OpenProject as the victim.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized access to OpenProject on behalf of a victim by decrypting intercepted authentication tokens. This can lead to unauthorized actions such as accessing, modifying, or saving documents in real time collaboration, potentially compromising sensitive project data and user accounts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, disable the collaboration feature by navigating to Settings -> Documents -> Real time collaboration and selecting Disable. Additionally, the 'hocuspocus' container should also be disabled. Also, ensure your OpenProject version is updated to 17.0.2 or later where the vulnerability is fixed.