{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31974", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:40:10.486Z", "datePublished": "2026-03-11T19:39:25.675Z", "dateUpdated": "2026-03-12T19:55:19.387Z"}, "containers": {"cna": {"title": "Blind SSRF on OpenProject instance via webhooks", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-9wr7-j98g-2jh3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-9wr7-j98g-2jh3"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": "< 17.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:39:25.675Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network. This vulnerability is fixed in 17.2.0."}], "source": {"advisory": "GHSA-9wr7-j98g-2jh3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:55:11.427865Z", "id": "CVE-2026-31974", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:55:19.387Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:55:11.427865Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:55:15.714Z"}}], "cna": {"title": "Blind SSRF on OpenProject instance via webhooks", "source": {"advisory": "GHSA-9wr7-j98g-2jh3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"status": "affected", "version": "< 17.2.0"}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-9wr7-j98g-2jh3", "name": "https://github.com/opf/openproject/security/advisories/GHSA-9wr7-j98g-2jh3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network. This vulnerability is fixed in 17.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:39:25.675Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31974", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:55:19.387Z", "dateReserved": "2026-03-10T15:40:10.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:39:25.675Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FB19C4D-0273-43F6-9AF6-3D30795D43BB", "versionEndExcluding": "17.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network. This vulnerability is fixed in 17.2.0."}, {"lang": "es", "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. Antes de la versi\u00f3n 17.2.0, el endpoint de prueba SMTP de OpenProject (POST /admin/settings/mail_notifications) acepta valores arbitrarios de host y puerto y exhibe diferencias medibles en el comportamiento de la respuesta dependiendo de si la IP objetivo existe y de si el puerto est\u00e1 abierto. Un atacante con acceso puede usar estas distinciones de tiempo y error para mapear hosts internos e identificar qu\u00e9 servicios/puertos son accesibles. De manera similar, se pueden crear webhooks en OpenProject y apuntarlos a IPs arbitrarias, lo que resulta en el mismo tipo de problema de SSRF que permite a los atacantes escanear la red interna. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 17.2.0."}], "id": "CVE-2026-31974", "lastModified": "2026-03-23T14:25:54.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.0, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T20:16:17.280", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-9wr7-j98g-2jh3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,17.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openproject", "source": "cna", "vendor": "opf"}, "product": "openproject", "vendor": "opf"}], "analysis": {"en": {"generated_at": "2026-03-23T16:31:36.114427+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenProject 17.2.0 or newer", "If an upgrade cannot be performed immediately, restrict OpenProject outbound traffic or block webhook URLs to prevent external requests", "Limit user permissions to disable the ability to create webhooks or execute SMTP test actions"], "summary": {"action": "Patch", "impact": "Internal network enumeration via blind SSRF"}, "threat_synthesis": {"affected_systems": "Versions of OpenProject before 17.2.0 are affected. The vulnerability surfaces in the SMTP test endpoint (POST\u00a0/admin/settings/mail_notifications) and the webhook creation interface, enabling requests to arbitrary IP addresses and ports. All affected releases share the same flaw, as listed by the vendor. Upgrading to 17.2.0 or later removes the flaw.", "description_and_impact": "OpenProject allows a user to send arbitrary HTTP requests through its SMTP test endpoint and webhook feature, creating blind SSRF opportunities. The system responds differently when a target IP address exists or a specified port is reachable, providing timing and error cues that an attacker can observe. By exploiting these observable differences, an attacker can map internal hosts and discover which services or ports are available inside the network, exposing sensitive internal topology information without directly reading data from services.", "risk_and_exploitability": "The base severity score of 3.0 indicates low overall risk, and the estimated exploitation likelihood is below 1%, suggesting that widespread attacks are unlikely. The flaw does not appear in the federal catalog of known exploited vulnerabilities. The attack requires an attacker to have access to the OpenProject instance, either via authenticated user privileges or a compromised account, making the vector internal and limited to authorized users. Consequently, the risk is primarily to confidentiality of internal network topology rather than direct data theft or code execution."}}}}, "created": "2026-03-12T09:56:27.483756+00:00", "updated": "2026-03-24T10:39:56.328194+00:00", "vendors": ["opf", "opf$PRODUCT$openproject"]}