CVE-2026-23625 Overview
CVE-2026-23625 is a stored cross-site scripting (XSS) vulnerability affecting OpenProject, an open-source, web-based project management software. The vulnerability exists in the Roadmap view component and allows attackers to inject arbitrary HTML and JavaScript code through maliciously crafted project names.
The flaw stems from improper handling of user-controlled project names when rendering the "Related work packages" list. When a version contains work packages from a different project (such as a subproject), the link_to_work_package helper function prepends package.project.to_s to the link and returns the entire string with .html_safe. Since project names are user-controlled and no escaping occurs before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page.
Critical Impact
Attackers with project creation privileges can execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, and unauthorized actions within the OpenProject environment.
Affected Products
- OpenProject versions 16.3.0 through 16.6.4
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-23625 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-23625
Vulnerability Analysis
This stored XSS vulnerability arises from a security regression introduced in OpenProject version 16.3.0. During a refactoring effort to migrate to Rails' standard Content Security Policy framework, the X-Content-Type-Options: nosniff header was inadvertently removed from the application's response headers. This header had previously provided a defense-in-depth measure against certain content injection attacks.
The core issue lies in the link_to_work_package helper method used to render work package links in the Roadmap view. When displaying work packages that belong to subprojects, the method concatenates the project name directly into the HTML output and marks it as safe using Rails' .html_safe method. This bypasses Rails' automatic HTML escaping mechanism, creating an opportunity for XSS injection.
An attacker with the ability to create or modify project names can embed malicious script tags or event handlers that execute when other users view the Roadmap. The stored nature of this vulnerability means the malicious payload persists in the database and executes every time the affected page is rendered.
Root Cause
The root cause is twofold: First, the improper use of .html_safe on user-controlled data (project names) without prior sanitization or escaping. Second, the inadvertent removal of the X-Content-Type-Options: nosniff security header during a configuration refactoring in version 16.3.0, which eliminated a layer of protection against content-type confusion attacks.
Attack Vector
The attack vector is network-based and requires low privileges to execute. An authenticated user with project creation permissions can craft a malicious project name containing JavaScript code. When another user navigates to the Roadmap view that displays work packages from the malicious subproject, the injected script executes in their browser context.
The attack requires user interaction—specifically, a victim must view the compromised Roadmap page. However, since Roadmap views are commonly accessed in project management workflows, the likelihood of exploitation is significant. The scope of impact extends beyond the vulnerable application context, as successful exploitation can compromise user sessions, exfiltrate sensitive data, or perform actions on behalf of authenticated users.
Detection Methods for CVE-2026-23625
Indicators of Compromise
- Unusual project names containing HTML tags, script elements, or JavaScript event handlers (e.g., <script>, onerror=, onload=)
- Database entries in the projects table with names containing encoded or raw HTML/JavaScript payloads
- Web server logs showing requests to Roadmap endpoints followed by suspicious outbound connections or error patterns
- User reports of unexpected browser behavior or pop-ups when viewing Roadmap pages
Detection Strategies
- Implement Content Security Policy (CSP) violation reporting to detect inline script execution attempts
- Deploy Web Application Firewall (WAF) rules to identify and alert on XSS patterns in HTTP responses
- Enable database auditing to monitor for suspicious INSERT or UPDATE operations on project name fields
- Configure browser-side XSS auditing and monitor for triggered detections in security logs
Monitoring Recommendations
- Monitor HTTP response headers to verify X-Content-Type-Options: nosniff is present on all responses
- Review application logs for unusual patterns in project creation or modification activities
- Implement real-time alerting for CSP violation reports indicating potential XSS attempts
- Conduct periodic security scans of the OpenProject database for stored XSS payloads
How to Mitigate CVE-2026-23625
Immediate Actions Required
- Upgrade to OpenProject version 16.6.5 or 17.0.0 immediately to apply the security fix
- If immediate upgrade is not possible, configure your reverse proxy or web server to add the X-Content-Type-Options: nosniff header to all responses
- Audit existing project names in the database for potential malicious content
- Review recent project creation and modification activity for signs of exploitation
Patch Information
OpenProject has addressed this vulnerability in versions 16.6.5 and 17.0.0 by restoring the X-Content-Type-Options: nosniff header that was inadvertently removed during the Rails Content Security Policy migration. Users should upgrade to the latest patched version as soon as possible.
For detailed patch information, refer to the following official resources:
Workarounds
- Configure your proxying web server (nginx, Apache, etc.) to add the X-Content-Type-Options: nosniff header to all responses
- Implement strict input validation on project names at the application or database level to reject HTML content
- Deploy a Web Application Firewall with XSS filtering capabilities in front of the OpenProject instance
- Consider restricting project creation permissions to trusted administrators until the upgrade can be completed
# Nginx configuration example - add to server block
add_header X-Content-Type-Options "nosniff" always;
# Apache configuration example - add to VirtualHost or .htaccess
Header always set X-Content-Type-Options "nosniff"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
