CVE-2026-31974
SSRF and Timing Leak in OpenProject SMTP Test Endpoint
Publication date: 2026-03-11
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | to 17.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31974 is a Blind Server-Side Request Forgery (SSRF) vulnerability found in OpenProject versions prior to 17.2.0.
The vulnerability exists in the SMTP test endpoint (POST /admin/settings/mail_notifications), which accepts arbitrary host and port values.
This endpoint shows measurable differences in response behavior depending on whether the target IP exists and whether the specified port is open.
An attacker with appropriate access privileges can exploit these timing and error response differences to map internal hosts and identify reachable services and ports.
Additionally, OpenProjectβs webhook functionality allows creation of webhooks pointing to arbitrary IP addresses, which similarly enables SSRF attacks to scan the internal network.
This vulnerability requires high privileges and has high attack complexity, with no user interaction needed.
It was fixed in OpenProject version 17.2.0.
How can this vulnerability impact me? :
This vulnerability allows an attacker with high privileges to perform internal network reconnaissance by mapping internal hosts and identifying which services and ports are reachable.
The impact on confidentiality is low, and there is no impact on integrity or availability.
Because the attacker can scan internal networks, it may expose information about internal infrastructure that could be used in further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the SMTP test endpoint of OpenProject (POST /admin/settings/mail_notifications) with arbitrary host and port values and observing differences in response timing and error messages. These differences indicate whether the target IP exists and if the port is open, revealing potential SSRF exploitation.'}, {'type': 'paragraph', 'content': 'Similarly, checking if webhooks in OpenProject are configured to point to arbitrary IP addresses can help identify if the SSRF issue is exploitable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires high privileges, detection commands should be run with appropriate access.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send POST requests to /admin/settings/mail_notifications with different host and port parameters and measure response times and error messages.'}, {'type': 'list_item', 'content': "Example curl command: curl -X POST -d 'host=TARGET_IP&port=TARGET_PORT' https://your-openproject-instance/admin/settings/mail_notifications -v"}, {'type': 'list_item', 'content': 'Monitor response behavior differences to infer if the target IP and port are reachable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenProject to version 17.2.0 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the SMTP test endpoint and webhook configuration features to only trusted, high-privilege users to reduce the risk of exploitation.
Additionally, monitor and audit webhook configurations to ensure they do not point to arbitrary or untrusted internal IP addresses.