CVE-2026-22600
Unknown Unknown - Not Provided
Local File Read via ImageMagick in OpenProject PDF Export

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22600
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opf openproject to 16.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker with low privileges (attachment upload rights) to read sensitive local files on the server that the application user has access to. This can lead to exposure of sensitive information like system files, project configuration files, and private project data. The attack requires no user interaction beyond uploading the malicious file and can compromise confidentiality, with potential impacts on integrity and availability as well. [2]

Executive Summary

CVE-2026-22600 is a critical Local File Read vulnerability in OpenProject versions prior to 16.6.4. It occurs in the work package PDF export feature that uses ImageMagick for image processing. An attacker with permission to upload attachments can upload a specially crafted SVG file disguised as a PNG. When the work package is exported to PDF, ImageMagick tries to resize the image, triggering its SVG coder, which can be exploited to read arbitrary local files accessible by the application user, such as /etc/passwd and private project data. [2]

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade OpenProject to version 16.6.4, which contains the patch fixing the issue. If upgrading is not possible right away, you can apply the manual patch named 70329-narrow-mime-type.patch. Additionally, as a temporary mitigation, you can remove PDF export permissions from users to prevent exploitation of the vulnerability. [2, 1]

Compliance Impact

The vulnerability allows an attacker with low privileges to read arbitrary local files accessible by the application user, including sensitive project data and configuration files. This exposure of sensitive information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access. Therefore, exploitation of this vulnerability may result in violations of these standards due to unauthorized disclosure of protected information. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22600. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart