FKIE_CVE-2026-32698

Vulnerability from fkie_nvd - Published: 2026-03-18 22:16 - Updated: 2026-03-19 18:32
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced. Together with another bug in the Repositories_module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application. As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
References
security-advisories@github.comhttps://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhxVendor Advisory
Impacted products
Vendor Product Version
openproject openproject *
openproject openproject *
openproject openproject *
openproject openproject 17.2.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7FD9C4C4-FFDC-4EE6-AAB2-901C1C6CB6BE",
              "versionEndExcluding": "16.6.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1003FD4-BC22-4AB4-91B4-EB63FFF41C2A",
              "versionEndExcluding": "17.0.6",
              "versionStartIncluding": "17.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "86B90D5D-1A3D-4524-A3CC-F7B7274A4E26",
              "versionEndExcluding": "17.1.3",
              "versionStartIncluding": "17.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2D1F069-BA78-4F8A-8FF9-DAE63BFB39CF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field\u0027s name. When that custom field was used in a Cost Report, the custom field\u0027s name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced. Together with another bug in the Repositories_module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application. As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."
    },
    {
      "lang": "es",
      "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto, basado en la web. Las versiones anteriores a 16.6.9, 17.0.6, 17.1.3 y 17.2.1 son vulnerables a un ataque de inyecci\u00f3n SQL a trav\u00e9s del nombre de un campo personalizado. Cuando ese campo personalizado se utilizaba en un Informe de Costos, el nombre del campo personalizado se inyectaba en la consulta SQL sin la sanitizaci\u00f3n adecuada. Esto permit\u00eda a un atacante ejecutar comandos SQL arbitrarios durante la generaci\u00f3n de un Informe de Costos. Dado que los campos personalizados solo pueden ser generados por usuarios con privilegios de administrador completos, la superficie de ataque se reduce un poco. Junto con otro error en el m\u00f3dulo Repositories, que utilizaba el identificador del proyecto sin sanitizaci\u00f3n para generar la ruta de extracci\u00f3n para un repositorio git en el sistema de archivos, esto permit\u00eda a un atacante extraer un repositorio git a una ruta elegida arbitrariamente en el servidor. Si la extracci\u00f3n se realiza dentro de ciertas rutas dentro de la aplicaci\u00f3n OpenProject, tras el siguiente reinicio de la aplicaci\u00f3n, esto permite al atacante inyectar c\u00f3digo ruby en la aplicaci\u00f3n. Dado que el identificador del proyecto no puede ser editado manualmente a ninguna cadena que contenga caracteres especiales como puntos o barras, esto necesita ser cambiado a trav\u00e9s de la inyecci\u00f3n SQL descrita anteriormente. Las versiones 16.6.9, 17.0.6, 17.1.3 y 17.2.1 corrigen el problema."
    }
  ],
  "id": "CVE-2026-32698",
  "lastModified": "2026-03-19T18:32:37.460",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-18T22:16:24.223",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.