CVE-2026-31974
Received Received - Intake
SSRF and Timing Leak in OpenProject SMTP Test Endpoint

Publication date: 2026-03-11

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network. This vulnerability is fixed in 17.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31974
EUVD
EUVD-2026-11330
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject to 17.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31974 is a Blind Server-Side Request Forgery (SSRF) vulnerability found in OpenProject versions prior to 17.2.0.

The vulnerability exists in the SMTP test endpoint (POST /admin/settings/mail_notifications), which accepts arbitrary host and port values.

This endpoint shows measurable differences in response behavior depending on whether the target IP exists and whether the specified port is open.

An attacker with appropriate access privileges can exploit these timing and error response differences to map internal hosts and identify reachable services and ports.

Additionally, OpenProject’s webhook functionality allows creation of webhooks pointing to arbitrary IP addresses, which similarly enables SSRF attacks to scan the internal network.

This vulnerability requires high privileges and has high attack complexity, with no user interaction needed.

It was fixed in OpenProject version 17.2.0.

Impact Analysis

This vulnerability allows an attacker with high privileges to perform internal network reconnaissance by mapping internal hosts and identifying which services and ports are reachable.

The impact on confidentiality is low, and there is no impact on integrity or availability.

Because the attacker can scan internal networks, it may expose information about internal infrastructure that could be used in further attacks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the SMTP test endpoint of OpenProject (POST /admin/settings/mail_notifications) with arbitrary host and port values and observing differences in response timing and error messages. These differences indicate whether the target IP exists and if the port is open, revealing potential SSRF exploitation.'}, {'type': 'paragraph', 'content': 'Similarly, checking if webhooks in OpenProject are configured to point to arbitrary IP addresses can help identify if the SSRF issue is exploitable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires high privileges, detection commands should be run with appropriate access.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send POST requests to /admin/settings/mail_notifications with different host and port parameters and measure response times and error messages.'}, {'type': 'list_item', 'content': "Example curl command: curl -X POST -d 'host=TARGET_IP&port=TARGET_PORT' https://your-openproject-instance/admin/settings/mail_notifications -v"}, {'type': 'list_item', 'content': 'Monitor response behavior differences to infer if the target IP and port are reachable.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade OpenProject to version 17.2.0 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the SMTP test endpoint and webhook configuration features to only trusted, high-privilege users to reduce the risk of exploitation.

Additionally, monitor and audit webhook configurations to ensure they do not point to arbitrary or untrusted internal IP addresses.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart