OpenProject is an open-source web-based project management tool that introduced a new collaborative document editor based on BlockNote in version 17.0.0. This editor includes a custom extension allowing users to mention OpenProject work packages within documents. To display work package details, the extension makes API calls to the OpenProject backend, passing the work package ID as a parameter. However, the extension failed to properly validate that the work package ID was strictly numeric, allowing an attacker to inject crafted relative URLs instead of valid numeric IDs. When a user opens a document containing such malicious relative links, the editor triggers arbitrary GET requests to any URL within the OpenProject instance. This can be exploited to perform unauthorized internal API calls, potentially manipulating or disrupting internal data or services. The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity), indicating a failure to properly verify input authenticity before use. The CVSS 3.1 base score is 6.3 (medium severity), reflecting that exploitation requires network access, low complexity, privileges (limited user), and user interaction (opening the document). The impact affects integrity and availability but not confidentiality. The issue was patched in the op-blocknote-extensions version 0.0.22, shipped with OpenProject 17.0.2, by enforcing numeric validation on work package IDs. Until organizations can upgrade, administrators can disable the real-time collaborative document editing feature to mitigate exploitation risk.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of project management data within OpenProject instances. Attackers with limited user privileges can craft documents that, when opened, cause the system to make arbitrary internal GET requests, potentially leading to unauthorized data manipulation, disruption of project workflows, or triggering unintended system behaviors. Although confidentiality is not directly compromised, the ability to interfere with internal API calls can undermine trust in project data accuracy and availability. Organizations relying heavily on OpenProject for collaborative project management, especially those with sensitive or critical project data, may experience operational disruptions. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with many users sharing documents. The vulnerability could be leveraged in targeted attacks or insider threat scenarios to cause internal service disruptions or data integrity issues.

1. Upgrade OpenProject to version 17.0.2 or later, which includes the patched op-blocknote-extensions 0.0.22 with proper input validation. 2. If immediate upgrading is not feasible, disable the collaborative document editing feature by navigating to Settings -> Documents -> Real time collaboration and selecting Disable. 3. Implement strict access controls to limit who can create or edit collaborative documents, reducing the risk of malicious document creation. 4. Educate users to be cautious when opening documents from untrusted sources within OpenProject. 5. Monitor OpenProject API logs for unusual GET requests or patterns indicative of exploitation attempts. 6. Consider network segmentation or application-layer firewalls to restrict internal API access where possible. 7. Regularly audit OpenProject instances for version compliance and configuration to ensure timely application of security patches.