Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced. Together with another bug in the Repositories_module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application. As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
AnalysisAI
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.
Technical ContextAI
The vulnerability affects OpenProject (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*), an open-source Ruby on Rails-based project management system. The root cause is CWE-89 (SQL Injection), where custom field names are concatenated directly into SQL queries during Cost Report generation without proper parameterization or escaping. The attack chain leverages this SQL injection to modify project identifiers (normally restricted from containing special characters like dots or slashes), which are then used unsanitized in the Repositories module to construct filesystem paths for git repository checkouts. By controlling the checkout path and placing it within OpenProject's application directory structure, an attacker can inject malicious Ruby code that executes upon application restart.
RemediationAI
Immediately upgrade OpenProject to version 16.6.9 (for 16.x series), 17.0.6 (for 17.0.x series), 17.1.3 (for 17.1.x series), or 17.2.1 (for 17.2.x series) or later as documented in the vendor security advisory at https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx. These patched versions implement proper input sanitization for custom field names and project identifiers. As a temporary mitigation until patching is completed, restrict administrator account access to only highly trusted personnel, implement strict monitoring of custom field creation activities, and review existing custom field names for suspicious content. Additionally, monitor git repository checkout operations and file system changes within the OpenProject application directory for unauthorized modifications.
More in Openproject
View allA SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi
OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12966