CVE-2026-24775
OpenProject BlockNote Extension Improper Input Validation Allows SSRF
Publication date: 2026-01-28
Last updated on: 2026-02-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | From 17.0.0 (inc) to 17.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the new editor for collaborative documents in OpenProject version 17.0.0, specifically in a custom extension that allows mentioning work packages. The extension did not properly validate the work package ID input to ensure it was only a number. This flaw allowed an attacker to create a document with relative links that, when opened, could trigger arbitrary GET requests to any URL within the OpenProject instance, potentially exposing internal data or functionality.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to make arbitrary GET requests within the OpenProject instance by exploiting the improper validation of work package IDs. This could lead to unauthorized access to internal URLs and potentially sensitive information or functionality within the OpenProject environment. It may also disrupt availability as indicated by the CVSS score's high impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update OpenProject to version 17.0.2 or later, which includes the patched version 0.0.22 of op-blocknote-extensions. If updating is not possible immediately, disable collaborative document editing by navigating to Settings -> Documents -> Real time collaboration and selecting Disable.