CVE intelligence and bounded remediation

CVE-2026-24772 — OpenProject is an open-source, web-based project management software

Critical CVSS 9

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.

Severity
Critical
CVSS
9 (3.1)
Published
2026-01-28
CISA KEV
Not currently listed
Ecosystem
software/application
Weaknesses
CWE-345

Affected products

  • openproject / openproject

Matched remediation archetype

Supply-chain, dependency, build, and update integrity

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Trace affected packages, source archives, build actions, plugins, installers, and updates from declared source to deployed artifact.
  • Confirm provenance, signatures or digests, namespace ownership, lockfile resolution, registry configuration, and build-runner trust boundaries.
  • Inventory direct, transitive, vendored, generated, and bundled copies across releases and distribution channels.

Remediate safely

  • Move to a maintained trusted artifact or remove the dependency; pin immutable identities and verify provenance and integrity before use.
  • Regenerate lockfiles and artifacts in a clean isolated build, minimize build credentials and network access, and produce an updated software bill of materials.
  • Require reviewed update policy, protected publishing, and reproducible or independently attestable builds where supported.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.