Skip to main content

Openproject CVE-2026-32698

| EUVDEUVD-2026-12966 CRITICAL
SQL Injection (CWE-89)
2026-03-18 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:50 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
17.2.1,17.1.3,16.6.9
EUVD ID Assigned
Mar 18, 2026 - 21:29 euvd
EUVD-2026-12966
Analysis Generated
Mar 18, 2026 - 21:29 vuln.today
CVE Published
Mar 18, 2026 - 21:01 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced. Together with another bug in the Repositories_module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application. As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

AnalysisAI

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.

Technical ContextAI

The vulnerability affects OpenProject (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*), an open-source Ruby on Rails-based project management system. The root cause is CWE-89 (SQL Injection), where custom field names are concatenated directly into SQL queries during Cost Report generation without proper parameterization or escaping. The attack chain leverages this SQL injection to modify project identifiers (normally restricted from containing special characters like dots or slashes), which are then used unsanitized in the Repositories module to construct filesystem paths for git repository checkouts. By controlling the checkout path and placing it within OpenProject's application directory structure, an attacker can inject malicious Ruby code that executes upon application restart.

RemediationAI

Immediately upgrade OpenProject to version 16.6.9 (for 16.x series), 17.0.6 (for 17.0.x series), 17.1.3 (for 17.1.x series), or 17.2.1 (for 17.2.x series) or later as documented in the vendor security advisory at https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx. These patched versions implement proper input sanitization for custom field names and project identifiers. As a temporary mitigation until patching is completed, restrict administrator account access to only highly trusted personnel, implement strict monitoring of custom field creation activities, and review existing custom field names for suspicious content. Additionally, monitor git repository checkout operations and file system changes within the OpenProject application directory for unauthorized modifications.

CVE-2019-11600 HIGH POC
8.1 May 13

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi

CVE-2023-33960 HIGH POC
7.5 Jun 01

OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp

CVE-2023-31140 MEDIUM POC
6.5 May 08

OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-52785 CRITICAL
9.9 Jun 26

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-32703 CRITICAL
9.0 Mar 18

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying

CVE-2026-24772 HIGH
8.9 Jan 28

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke

Share

CVE-2026-32698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy