cvedb.io
CVE-2026-24772
HIGH · CVSS 8.9
EPSS exploitation probability: 0%
Published 2026-01-28T19:16:24.763 · Last modified 2026-06-17T10:23:34.070

Summary

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by othe

Affected products

openproject — openproject

Does this affect you?

Add your gear to cvedb and we'll alert you only when openproject ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.