CVE-2026-24772

Name of the Vulnerable Software and Affected Versions OpenProject versions 17.0.0 through 17.0.1

Description OpenProject is a web-based project management software. A synchronization server was introduced in version 17.0.0 to enable real-time collaboration on documents. The server does not properly validate the backend URL and sends a request with a decrypted authentication token to the provided endpoint. This allows an attacker who has intercepted an authentication token to gain access to OpenProject on behalf of the victim. The authentication token is valid for 24 hours and is encrypted with a shared secret. The vulnerable functionality involves the interaction between the OpenProject backend, frontend, and synchronization server. The issue was introduced with version 17.0.0.

Recommendations Disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Disable the hocuspocus container.