CVE-2026-24772

HIGH
2026-01-28 [email protected]
8.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 28, 2026 - 19:16 nvd
HIGH 8.9

Tags

Authentication Bypass Openproject

Description

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.

Analysis

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication tokens by exploiting insufficient validation of backend URLs in the real-time collaboration synchronization server. An attacker with valid credentials could redirect the synchronization server to a controlled endpoint, forcing it to send the decrypted token and enabling unauthorized access to document collaboration features. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all OpenProject 17.0+ instances and assess exposure; isolate affected systems from untrusted networks if possible. Within 7 days: Implement network segmentation to restrict synchronization server access, monitor for suspicious activity, and establish communication plan with stakeholders. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

45
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +44
POC: 0

Share

CVE-2026-24772 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy