Platform
other
Component
openproject/hocuspocus
Fixed in
17.0.1
17.0.3
CVE-2026-24772 describes a Server-Side Request Forgery (SSRF) vulnerability within the Hocuspocus Synchronization Server component of OpenProject. This server, introduced in OpenProject version 17.0 to facilitate real-time document collaboration, suffers from insufficient backend URL validation. Consequently, an attacker can potentially manipulate the server into making requests to arbitrary internal or external resources, leading to unauthorized access and potential data exposure. The vulnerability affects OpenProject versions 17.0.0 through 17.0.1, and a patch is available in version 17.0.2.
The SSRF vulnerability in OpenProject's Hocuspocus Synchronization Server allows an attacker to craft malicious requests that the server will execute on their behalf. This can lead to several severe consequences. An attacker could potentially access internal services and resources that are not directly exposed to the internet, such as internal databases, configuration files, or other sensitive systems. They might be able to read sensitive data, modify configurations, or even execute commands on those internal systems, depending on their permissions. Furthermore, the attacker could potentially use the server as a proxy to scan internal networks or launch attacks against other internal systems, significantly expanding the blast radius of the vulnerability. The encryption of the authentication token, while intended to provide security, does not prevent the SSRF attack due to the validation flaw.
CVE-2026-24772 was published on January 28, 2026. The vulnerability's CVSS score of 8.9 (HIGH) indicates a significant risk. As of this writing, there is no indication of active exploitation campaigns targeting this vulnerability. No public Proof-of-Concept (PoC) exploits have been publicly disclosed. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score, suggesting a low to medium probability of exploitation in the near term. Refer to the NVD (National Vulnerability Database) for updates and further information.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24772 is to immediately upgrade OpenProject to version 17.0.2 or later, which includes the necessary fix for the backend URL validation issue. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to restrict network access to the Hocuspocus Synchronization Server using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to suspicious or unauthorized domains and IP addresses. Another workaround involves carefully reviewing and restricting the allowed domains and protocols that the synchronization server is permitted to access. Regularly monitor the synchronization server's logs for any unusual or suspicious activity. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a crafted request and verifying that it is blocked.
Actualice OpenProject a la versión 17.0.2 o superior. Como alternativa, deshabilite la función de colaboración en tiempo real a través de Settings -> Documents -> Real time collaboration -> Disable. Adicionalmente, el contenedor `hocuspocus` también debería ser deshabilitado.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Server-Side Request Forgery (SSRF) vulnerability in the OpenProject Hocuspocus Synchronization Server, allowing attackers to make requests on the server's behalf.
You are affected if you are running OpenProject versions 17.0.0 through 17.0.1. Upgrade to 17.0.2 to resolve the issue.
Upgrade OpenProject to version 17.0.2 or later. As a temporary workaround, restrict network access using a WAF or proxy.
Currently, there's no public evidence of active exploitation or publicly available PoCs, but the high CVSS score warrants immediate attention.
Refer to the NVD (National Vulnerability Database) entry for CVE-2026-24772 for detailed information and updates: [https://nvd.nist.gov/vuln/detail/CVE-2026-24772](https://nvd.nist.gov/vuln/detail/CVE-2026-24772)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.