Skip to main content

OpenProject CVE-2026-52785

| EUVDEUVD-2026-39867 CRITICAL
SQL Injection (CWE-89)
2026-06-26 GitHub_M
9.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vuln.today AI
8.3 HIGH

Network-reachable SQLi exploitable by any authenticated low-priv user (PR:L, AC:L, UI:N) giving database read and write; I score scope unchanged as the injection stays within the app's own DBMS, where the provided vector used S:C.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 21:02 EUVD
Analysis Generated
Jun 26, 2026 - 19:45 vuln.today

DescriptionCVE.org

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.

AnalysisAI

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user inject SQL through the timestamps parameter used to request historic work-package attributes, affecting all versions prior to 17.3.3 and 17.4.1. Rated CVSS 9.9 with a changed scope, it can expose or alter database contents beyond the user's normal authorization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged user
Delivery
Open work-package baseline comparison
Exploit
Inject SQL via timestamps parameter
Execution
Query executes in app database
Impact
Exfiltrate or modify database records

Vulnerability AssessmentAI

Exploitation Requires an authenticated account on the target OpenProject instance (CVSS PR:L) and the ability to invoke the baseline-comparison feature that accepts the timestamps parameter for requesting historic work-package attributes - that timestamps parameter is the exact injection point. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are strong but with one caveat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or self-registers for) a low-privileged OpenProject account opens a work-package baseline comparison and intercepts the request, replacing the timestamps parameter with a crafted SQL payload. The injected query runs against the OpenProject database, letting the attacker read other users' or projects' data and potentially modify records (I:H), all over the network with low complexity and no user interaction. …
Remediation Vendor-released patch: 17.3.3 and 17.4.1 - upgrade to 17.3.3 if you are on the 17.3.x branch, or to 17.4.1 if you are on the 17.4.x branch (or later), following the GHSA-98vw-2r87-fx2r advisory at https://github.com/opf/openproject/security/advisories/GHSA-98vw-2r87-fx2r. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OpenProject instances and identify which version lines are deployed (17.3.x vs 17.4.x); document user roles with database access or low-privilege account provisioning patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-32698 CRITICAL
9.1 Mar 18

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-32703 CRITICAL
9.0 Mar 18

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying

CVE-2026-24772 HIGH
8.9 Jan 28

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke

CVE-2026-24685 HIGH
8.8 Jan 28

Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse

CVE-2026-52784 HIGH
8.8 Jun 26

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id c

CVE-2026-23625 HIGH
8.7 Jan 19

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through

Share

CVE-2026-52785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy