Volerion logoVolerion
Volerion logoVolerion

OpenProject Hocuspocus Synchronization Server Authentication Token Decryption Vulnerability

Vulnerability

A vulnerability in the Hocuspocus synchronization server of OpenProject versions 17.0.0 and 17.0.1 allows for the decryption of authentication tokens. This issue arises because the synchronization server fails to properly validate backend URLs, enabling an attacker to intercept and decrypt tokens to gain access to OpenProject on behalf of the victim. The vulnerability was introduced in OpenProject 17.0.0 and fixed in 17.0.2.

Impact

Exploitation of this vulnerability allows for unauthorized access to OpenProject documents, enabling an attacker to interact with the application on behalf of the victim.

Remediation

Users can update to OpenProject version 17.0.2, where this vulnerability has been patched. If an immediate update is not possible, the collaboration feature can be disabled in the settings, and the Hocuspocus container should also be disabled.

Added: Jan 28, 2026, 7:24 PM
Updated: Jan 28, 2026, 7:24 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
5.0
exploitability
5.8
remediation
8.3
relevance
2.4
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.