FKIE_CVE-2026-24775

Vulnerability from fkie_nvd - Published: 2026-01-28 19:16 - Updated: 2026-02-12 20:36
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Summary
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
References
security-advisories@github.comhttps://github.com/opf/op-blocknote-extensions/releases/tag/v0.0.22Release Notes
security-advisories@github.comhttps://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvcPatch, Vendor Advisory
Impacted products
Vendor Product Version
openproject openproject *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4530571-3A78-40BB-9B33-880974D8C7CF",
              "versionEndExcluding": "17.0.2",
              "versionStartIncluding": "17.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -\u003e Documents -\u003e Real time collaboration -\u003e Disable."
    },
    {
      "lang": "es",
      "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. En el nuevo editor para documentos colaborativos basado en BlockNote, los mantenedores de OpenProject a\u00f1adieron una extensi\u00f3n personalizada en la versi\u00f3n 17.0.0 de OpenProject que permite mencionar paquetes de trabajo de OpenProject en el documento. Para mostrar los detalles del paquete de trabajo, el editor carga los detalles sobre el paquete de trabajo a trav\u00e9s de la API de OpenProject. Para esta llamada a la API, la extensi\u00f3n del editor BlockNote no valid\u00f3 correctamente que el ID del paquete de trabajo dado fuera solo un n\u00famero. Esto permiti\u00f3 a un atacante generar un documento con enlaces relativos que, al abrirse, pod\u00eda realizar solicitudes \u0027GET\u0027 arbitrarias a cualquier URL dentro de la instancia de OpenProject. Este problema fue parcheado en la versi\u00f3n 0.0.22 de op-blocknote-extensions, que se envi\u00f3 con OpenProject 17.0.2. Si los usuarios no pueden actualizar inmediatamente a la versi\u00f3n 17.0.2 de OpenProject, los administradores pueden deshabilitar la edici\u00f3n colaborativa de documentos en Ajustes -\u0026gt; Documentos -\u0026gt; Colaboraci\u00f3n en tiempo real -\u0026gt; Deshabilitar."
    }
  ],
  "id": "CVE-2026-24775",
  "lastModified": "2026-02-12T20:36:00.650",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-28T19:16:24.927",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/opf/op-blocknote-extensions/releases/tag/v0.0.22"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.