प्लेटफ़ॉर्म
other
घटक
openproject
में ठीक किया गया
17.2.1
CVE-2026-31974 describes a Server-Side Request Forgery (SSRF) vulnerability affecting OpenProject project management software. This flaw allows an attacker with access to the system to map internal hosts and identify reachable services by manipulating the SMTP test endpoint. Versions of OpenProject prior to 17.2.0 are vulnerable, and a fix is available in version 17.2.0.
The SSRF vulnerability in OpenProject arises from the SMTP test endpoint (POST /admin/settings/mail_notifications) accepting arbitrary host and port values. The endpoint exhibits measurable differences in response behavior based on whether the target IP exists and the port is open. An attacker can leverage these timing and error distinctions to perform internal reconnaissance, discovering internal hosts and services. While the CVSS score is LOW, the ability to map internal infrastructure can be a stepping stone for further attacks, potentially leading to privilege escalation or data exfiltration if other vulnerabilities are present. This is similar to SSRF vulnerabilities found in other web applications where internal services are exposed.
CVE-2026-31974 was publicly disclosed on 2026-03-11. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is currently considered low.
Organizations using OpenProject for project management, particularly those with internal services accessible from the web server, are at risk. Shared hosting environments where multiple OpenProject instances share the same server are also potentially vulnerable, as an attacker could exploit the SSRF to gain access to other services running on the same host.
• linux / server: Monitor OpenProject logs for unusual SMTP test requests with unexpected host and port combinations. Use journalctl -u openproject to filter for relevant log entries.
journalctl -u openproject | grep '/admin/settings/mail_notifications' | grep -v '127.0.0.1'• generic web: Use curl to test the SMTP test endpoint with various internal IP addresses and ports to identify potential SSRF behavior.
curl -v --connect-timeout 1 http://<openproject_ip>/admin/settings/mail_notifications -d '[email protected]&smtp_host=192.168.1.100&smtp_port=8080'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-31974 is to upgrade OpenProject to version 17.2.0 or later, which includes the fix for this SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /admin/settings/mail_notifications endpoint with arbitrary host and port values. Additionally, restrict access to the administrative settings panel to authorized users only. Regularly review OpenProject configurations to ensure adherence to security best practices.
Actualice OpenProject a la versión 17.2.0 o superior. Esta versión corrige la vulnerabilidad SSRF en los webhooks y el endpoint de prueba SMTP.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-31974 is a Server-Side Request Forgery (SSRF) vulnerability in OpenProject versions prior to 17.2.0, allowing attackers to map internal hosts.
You are affected if you are running OpenProject versions 17.2.0 or earlier. Upgrade to 17.2.0 to resolve the vulnerability.
Upgrade OpenProject to version 17.2.0 or later. Consider implementing a WAF rule to block suspicious requests as a temporary workaround.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-31974.
Refer to the OpenProject security advisory for detailed information and updates: [https://www.openproject.org/security/advisories/](https://www.openproject.org/security/advisories/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।