Executive Summary

CVE-2026-44696 is a stored CSS injection vulnerability in OpenProject versions prior to 17.4.0. It occurs because the software uses a relaxed CSS sanitization configuration (Sanitize::Config::RELAXED[:css]) that permits essentially all CSS properties in style attributes on certain HTML elements like figure, img, table, th, tr, and td.

This allows any authenticated user with write access to formattable text fields (such as work package descriptions, comments, project descriptions, and news) to inject malicious CSS code.

The injected CSS can be used to create full-screen phishing overlays, exfiltrate user data via external server requests, and spoof user interface elements like fake modal dialogs, because the sanitized HTML is rendered client-side without further CSS sanitization.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users to inject malicious CSS that can exfiltrate user data via external server requests and spoof UI elements to create phishing overlays. This unauthorized data exfiltration and potential phishing can lead to breaches of user privacy and data security.

Such security weaknesses can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure user authentication mechanisms. The ability to exfiltrate data or trick users into revealing sensitive information could result in violations of these regulations.

Therefore, until the vulnerability is fixed (in OpenProject version 17.4.0), affected systems may be at risk of non-compliance due to insufficient data protection and potential unauthorized data disclosure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers with write access to inject malicious CSS that can compromise the user interface and user data.

• Creation of persistent full-screen phishing overlays to trick users into revealing sensitive information.
• Exfiltration of user data through silent external server requests triggered by injected CSS.
• Spoofing of UI elements such as fake authentication prompts or modal dialogs to deceive users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored CSS injection in OpenProject versions prior to 17.4.0, where malicious CSS can be injected into formattable text fields by authenticated users with write access.

Detection can focus on inspecting the content of work package descriptions, comments, project descriptions, or news fields for suspicious inline style attributes containing unusual or potentially malicious CSS properties.

Since the vulnerability is related to stored CSS in HTML rendered client-side, network detection might involve monitoring HTTP responses from the OpenProject server for unexpected or suspicious CSS in permitted HTML elements such as figure, img, table, th, tr, and td.

Specific commands are not provided in the available resources, but general approaches include:

• Using grep or similar tools on the database or exported data to search for style attributes with suspicious CSS properties.
• Using browser developer tools to inspect rendered HTML in the affected fields for injected CSS.
• Monitoring HTTP traffic for unusual CSS payloads in responses from OpenProject.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenProject to version 17.4.0 or later, where the vulnerability is fixed by replacing the RELAXED CSS sanitization configuration with a strict whitelist of allowed CSS properties.

Until the upgrade can be performed, consider restricting write access to formattable text fields to trusted users only, to reduce the risk of malicious CSS injection.

Additionally, review and sanitize existing content in formattable text fields to remove potentially malicious inline styles.

Useful 0 Not Useful 0