Platform
other
Component
openproject
Fixed in
17.2.1
CVE-2026-31974 describes a Server-Side Request Forgery (SSRF) vulnerability affecting OpenProject project management software. This flaw allows an attacker with access to the system to map internal hosts and identify reachable services by manipulating the SMTP test endpoint. Versions of OpenProject prior to 17.2.0 are vulnerable, and a fix is available in version 17.2.0.
The SSRF vulnerability in OpenProject arises from the SMTP test endpoint (POST /admin/settings/mail_notifications) accepting arbitrary host and port values. The endpoint exhibits measurable differences in response behavior based on whether the target IP exists and the port is open. An attacker can leverage these timing and error distinctions to perform internal reconnaissance, discovering internal hosts and services. While the CVSS score is LOW, the ability to map internal infrastructure can be a stepping stone for further attacks, potentially leading to privilege escalation or data exfiltration if other vulnerabilities are present. This is similar to SSRF vulnerabilities found in other web applications where internal services are exposed.
CVE-2026-31974 was publicly disclosed on 2026-03-11. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is currently considered low.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31974 is to upgrade OpenProject to version 17.2.0 or later, which includes the fix for this SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /admin/settings/mail_notifications endpoint with arbitrary host and port values. Additionally, restrict access to the administrative settings panel to authorized users only. Regularly review OpenProject configurations to ensure adherence to security best practices.
Update OpenProject to version 17.2.0 or higher. This version fixes the SSRF vulnerability in webhooks and the SMTP test endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31974 is a Server-Side Request Forgery (SSRF) vulnerability in OpenProject versions prior to 17.2.0, allowing attackers to map internal hosts.
You are affected if you are running OpenProject versions 17.2.0 or earlier. Upgrade to 17.2.0 to resolve the vulnerability.
Upgrade OpenProject to version 17.2.0 or later. Consider implementing a WAF rule to block suspicious requests as a temporary workaround.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-31974.
Refer to the OpenProject security advisory for detailed information and updates: [https://www.openproject.org/security/advisories/](https://www.openproject.org/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.