OpenProject Vulnerability in SMTP Test Endpoint Allows Internal Network Mapping
CVE-2026-31974

3LOW

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-31974?

OpenProject, an open-source project management tool, contains a vulnerability in its SMTP test endpoint prior to version 17.2.0. This issue allows attackers to input arbitrary host and port values, generating varying response behaviors based on the existence of the target IP and the state of the port. By leveraging these timing and error responses, attackers can effectively map internal network services and identify reachable ports. Moreover, the ability to create webhooks targeting arbitrary IPs exacerbates this risk, facilitating internal network scans and potential exposure to sensitive services.

Affected Version(s)

openproject < 17.2.0

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-31974 Data

JSON

Opf

What is CVE-2026-31974?

Affected Version(s)

References

CVSS V3.1

Timeline