CVE-2026-31974 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source project management software OpenProject, specifically in versions prior to 17.2.0. The vulnerability exists in the SMTP test endpoint (POST /admin/settings/mail_notifications) and webhook creation features, which accept arbitrary host and port inputs without sufficient validation. An attacker with authenticated access can exploit this flaw to send crafted requests that cause the server to initiate connections to internal network hosts and ports. By analyzing timing differences and error responses, the attacker can infer the existence and accessibility of internal services, effectively mapping the internal network topology. This reconnaissance capability can aid in further attacks targeting internal systems that are otherwise inaccessible from the outside. The vulnerability does not allow direct data exfiltration or modification but compromises confidentiality by revealing internal network structure. Exploitation requires high privileges (authenticated user) and no user interaction beyond that. The CVSS v3.1 score is 3.0 (low severity), reflecting the limited scope and complexity of exploitation. The vulnerability is fixed in OpenProject 17.2.0, which implements proper validation and restrictions on host and port parameters to prevent SSRF. No public exploits or active exploitation campaigns have been reported to date.

The primary impact of CVE-2026-31974 is the exposure of internal network infrastructure to authenticated attackers. By enabling internal host and port scanning, attackers can identify critical internal services, potentially facilitating lateral movement, targeted attacks, or further exploitation of internal vulnerabilities. Although the vulnerability does not directly compromise data confidentiality, integrity, or availability, the information gained can significantly aid attackers in planning more damaging attacks. Organizations using vulnerable OpenProject versions risk unauthorized internal network reconnaissance, which is especially concerning in environments with sensitive internal services or segmented networks. The requirement for authenticated access limits the threat to insiders or compromised user accounts, but the risk remains significant in large organizations with many users or weak access controls. Since no known exploits are in the wild, the immediate risk is moderate, but the vulnerability should be addressed promptly to prevent future exploitation.

1. Upgrade OpenProject to version 17.2.0 or later, where this SSRF vulnerability is fixed. 2. Restrict access to OpenProject administrative functions to trusted users only, minimizing the number of accounts with the ability to exploit the vulnerability. 3. Implement network segmentation and firewall rules to limit the OpenProject server's ability to initiate outbound connections to internal services, reducing the impact of SSRF attempts. 4. Monitor logs for unusual POST requests to /admin/settings/mail_notifications and webhook creation activities that specify unexpected hosts or ports. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SSRF patterns targeting internal IP ranges. 6. Regularly audit user privileges and revoke unnecessary administrative rights to reduce the attack surface. 7. Conduct internal penetration testing to verify that SSRF protections are effective and no other similar vulnerabilities exist.