Volerion logoVolerion
Volerion logoVolerion

OpenProject Blind Server-Side Request Forgery Vulnerability in Webhook and SMTP Test Endpoint

Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in OpenProject versions prior to 17.2.0. The issue arises in the SMTP test endpoint, which accepts arbitrary host and port values. The endpoint's response behavior varies based on the existence of the target IP and the openness of the port. This allows an attacker with access to map internal hosts and identify reachable services and ports. Additionally, webhooks can be created in OpenProject that point to arbitrary IPs, enabling similar internal network scanning.

Impact

Exploitation of this vulnerability allows for internal network reconnaissance, where an attacker can map internal hosts and services/ports based on the response behavior of the SMTP test endpoint. This blind SSRF vulnerability can also be leveraged through created webhooks to scan the internal network.

Remediation

Users can upgrade to OpenProject version 17.2.0 or later to address this vulnerability.

Added: Mar 11, 2026, 8:24 PM
Updated: Mar 11, 2026, 8:24 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
0.6
exploitability
4.2
remediation
7.7
relevance
3.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.