CVE-2026-24775

Name of the Vulnerable Software and Affected Versions OpenProject versions 17.0.0 through 17.0.1

Description OpenProject is a web-based project management software. A flaw exists in the BlockNote editor extension introduced in version 17.0.0, which allows mentioning OpenProject work packages within collaborative documents. The extension does not properly validate the work package ID used in API calls to retrieve work package details. This allows an attacker to create documents containing relative links that, when opened, can trigger arbitrary GET requests to any URL within the OpenProject instance. The API call is used to load work package details. The issue was addressed in version 0.0.22 of the op-blocknote-extensions component, included in OpenProject 17.0.2.

Recommendations Update to OpenProject version 17.0.2. If an immediate update is not possible, disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.