CVE-2026-31974

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.2.0

Description OpenProject is a web-based project management software. Prior to version 17.2.0, the SMTP test endpoint, accessible via the ''POST /admin/settings/mail notifications'' API endpoint, accepts arbitrary host and port values. This allows an attacker with access to map internal hosts and identify reachable services and ports through timing and error differences in the response. Similarly, creating webhooks pointing to arbitrary IPs results in a Server-Side Request Forgery (SSRF) issue, enabling attackers to scan the internal network. The host and port parameters of the SMTP test endpoint are vulnerable.

Recommendations Versions prior to 17.2.0 should be updated to version 17.2.0 or later.