OpenProject is an open-source web-based project management tool that introduced a real-time collaboration feature in version 17.0. This feature relies on a synchronization server (implemented via the hocuspocus container) to enable collaborative document editing. The backend generates an authentication token valid for 24 hours, encrypts it with a shared secret known only to the synchronization server, and passes the encrypted token along with the backend URL to the synchronization server. The synchronization server then decrypts the token and sends a request to the provided backend URL to verify the user's permissions and allow document edits. The vulnerability (CWE-345: Insufficient Verification of Data Authenticity) arises because the synchronization server does not properly validate the backend URL before sending the decrypted token. An attacker who intercepts an encrypted token (via network interception or other means) can supply a malicious backend URL to the synchronization server, causing it to send the decrypted token to an attacker-controlled endpoint. This effectively leaks the authentication token, enabling the attacker to impersonate the victim and interact with OpenProject with their privileges. The vulnerability affects OpenProject versions from 17.0.0 up to but not including 17.0.2 and the corresponding hocuspocus container versions. The flaw was fixed in 17.0.2 by adding proper validation of the backend URL to ensure it is legitimate and trusted. Until patched, disabling the real-time collaboration feature and the hocuspocus container is recommended to mitigate risk. The CVSS 3.1 score of 8.9 reflects a high-severity issue with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity with limited availability impact.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of project management data stored and managed within OpenProject. Unauthorized access via token theft can lead to data leakage, unauthorized document modifications, and potential disruption of project workflows. Organizations relying on OpenProject for sensitive or regulated projects (e.g., government, finance, healthcare, or critical infrastructure sectors) could face compliance violations and reputational damage if exploited. The ability for an attacker to impersonate legitimate users may also facilitate lateral movement within networks or further attacks on integrated systems. Since OpenProject is used widely across Europe in both public and private sectors, the impact could be broad, especially in environments where real-time collaboration is enabled and network interception is feasible (e.g., unsecured Wi-Fi, compromised internal networks). The limited availability impact reduces risk of denial-of-service but does not diminish the criticality of confidentiality and integrity breaches.

1. Immediately upgrade OpenProject installations to version 17.0.2 or later, which contains the fix for this vulnerability. 2. If immediate patching is not possible, disable the real-time collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. 3. Disable the hocuspocus container responsible for synchronization to prevent token leakage. 4. Restrict network access to the synchronization server and backend URLs to trusted hosts only, using firewall rules or network segmentation. 5. Monitor network traffic for unusual requests to backend URLs or unexpected external endpoints that could indicate exploitation attempts. 6. Implement TLS encryption for all communications to reduce risk of token interception. 7. Educate users about the risk of using OpenProject on untrusted networks and encourage use of VPNs. 8. Review and rotate shared secrets used for token encryption if compromise is suspected. 9. Conduct regular audits of OpenProject logs to detect anomalous access patterns or token misuse. 10. Coordinate with OpenProject support or community for updates and security advisories.