Plattform
other
Komponente
openproject
Behoben in
17.2.1
CVE-2026-31974 describes a Server-Side Request Forgery (SSRF) vulnerability affecting OpenProject project management software. This flaw allows an attacker with access to the system to map internal hosts and identify reachable services by manipulating the SMTP test endpoint. Versions of OpenProject prior to 17.2.0 are vulnerable, and a fix is available in version 17.2.0.
The SSRF vulnerability in OpenProject arises from the SMTP test endpoint (POST /admin/settings/mail_notifications) accepting arbitrary host and port values. The endpoint exhibits measurable differences in response behavior based on whether the target IP exists and the port is open. This allows an attacker to passively probe the internal network, identifying reachable services and ports. While the vulnerability is rated as LOW severity, the ability to map internal infrastructure can be a precursor to more serious attacks, potentially leading to information disclosure or even access to sensitive internal resources. The ability to create webhooks pointing to arbitrary IPs exacerbates the SSRF issue.
CVE-2026-31974 was publicly disclosed on 2026-03-11. There is currently no known public proof-of-concept (POC) available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Organizations using OpenProject for project management, particularly those with internal services accessible from the web server, are at risk. Shared hosting environments where multiple OpenProject instances share the same server are also potentially vulnerable, as an attacker could exploit the SSRF to gain access to other services running on the same host.
• linux / server: Monitor OpenProject logs for unusual SMTP test requests with unexpected host and port combinations. Use journalctl -u openproject to filter for relevant log entries.
journalctl -u openproject | grep '/admin/settings/mail_notifications' | grep -v '127.0.0.1'• generic web: Use curl to test the SMTP test endpoint with various internal IP addresses and ports to identify potential SSRF behavior.
curl -v --connect-timeout 1 http://<openproject_ip>/admin/settings/mail_notifications -d '[email protected]&smtp_host=192.168.1.100&smtp_port=8080'disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-31974 is to upgrade OpenProject to version 17.2.0 or later, which includes the fix. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the OpenProject server using a firewall or web application proxy. Specifically, block outbound connections to internal IP ranges. Monitor SMTP logs for unusual outbound connection attempts. After upgrading, confirm the fix by attempting to send a test email to an internal IP address; the request should be rejected.
Aktualisieren Sie OpenProject auf Version 17.2.0 oder höher. Diese Version behebt die SSRF-Schwachstelle in Webhooks und dem SMTP-Test-Endpunkt.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31974 is a Server-Side Request Forgery (SSRF) vulnerability in OpenProject versions prior to 17.2.0, allowing attackers to map internal hosts.
You are affected if you are running OpenProject versions 17.2.0 or earlier. Upgrade to 17.2.0 to resolve the vulnerability.
Upgrade OpenProject to version 17.2.0 or later. Consider implementing a WAF rule to block suspicious requests as a temporary workaround.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-31974.
Refer to the OpenProject security advisory for detailed information and updates: [https://www.openproject.org/security/advisories/](https://www.openproject.org/security/advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.