OpenProject is an open-source web-based project management tool. Versions prior to 17.2.0 contain an SSRF vulnerability (CVE-2026-31974) in the SMTP test endpoint (/admin/settings/mail_notifications) and webhook creation functionality. Authenticated users can specify arbitrary host and port values, causing the server to initiate network requests to these targets. The server's response behavior varies measurably depending on whether the target IP exists and if the specified port is open, enabling attackers to perform internal network reconnaissance by mapping hosts and open services. This vulnerability leverages timing and error response differences to infer network topology and service availability behind the firewall. Exploitation requires authenticated access with administrative privileges, limiting the attack surface. The vulnerability does not allow direct data exfiltration or service disruption but can be a stepping stone for further attacks by revealing internal infrastructure details. The issue is resolved in OpenProject version 17.2.0. No known exploits are currently reported in the wild. The CVSS 3.1 base score is 3.0, reflecting low severity due to the need for high privileges and lack of direct impact on confidentiality, integrity, or availability.

The primary impact of this SSRF vulnerability is the potential for internal network reconnaissance by authenticated attackers. By mapping internal hosts and identifying open ports and services, attackers can gain valuable intelligence to facilitate lateral movement, privilege escalation, or targeted attacks within the network. While the vulnerability itself does not allow direct data theft or system compromise, it lowers the barrier for attackers to plan more damaging exploits. Organizations with sensitive internal services or poorly segmented networks are at greater risk, as attackers can discover critical infrastructure details. The requirement for authenticated access reduces the likelihood of exploitation by external attackers but insider threats or compromised credentials could enable misuse. This vulnerability could also aid attackers in bypassing network access controls by leveraging the vulnerable server as a proxy to reach otherwise inaccessible internal resources.

1. Upgrade OpenProject to version 17.2.0 or later, where this SSRF vulnerability is fixed. 2. Restrict administrative access to the SMTP test endpoint and webhook configuration to trusted users only, minimizing the risk of misuse. 3. Implement network segmentation and firewall rules to limit the OpenProject server's ability to initiate arbitrary outbound connections to internal IP ranges and sensitive ports. 4. Monitor logs for unusual or unexpected requests to the SMTP test endpoint and webhook creation, especially those targeting internal IP addresses or uncommon ports. 5. Employ multi-factor authentication and strong credential management to reduce the risk of compromised accounts with administrative privileges. 6. Conduct regular internal network scans and penetration tests to identify and remediate any exposed services that could be discovered via SSRF. 7. Consider application-layer request validation or filtering to restrict allowed hostnames and ports in user-supplied inputs for SMTP testing and webhooks.