CVE-2026-22601
Command Injection in OpenProject Admin Email Configuration (Pre
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opf | openproject | to 16.6.2 (exc) |
| opf | openproject | 16.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22601 is a command injection vulnerability in OpenProject versions 16.6.1 and below. A registered administrator can exploit this flaw by configuring the 'System path to sendmail' setting with malicious input. When the application sends a test email, it executes this input in a Linux shell without proper sanitization, allowing the attacker to run arbitrary commands on the underlying system with high privileges. [2]
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows an attacker with administrator access to execute arbitrary commands on the server hosting OpenProject. This can lead to full system compromise, including unauthorized access to sensitive data, disruption of services, and potential further exploitation of the network. The CVSS score of 8.6 indicates a high impact on confidentiality, integrity, and availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, check if your OpenProject instance is version 16.6.1 or below and if the 'System path to sendmail' setting under Administration β Emails and Notifications β Mail Notification is configurable by an administrator. You can verify the OpenProject version by running a command like `dpkg -l | grep openproject` or checking the application UI. Additionally, inspect the sendmail path setting for suspicious command injection patterns. Since the vulnerability involves command injection via the sendmail path, monitoring logs for unusual command executions or email sending failures may help. There are no specific commands provided to detect exploitation, but verifying the version and configuration is key. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OpenProject to version 16.6.2 or later, where the vulnerability is patched. If upgrading is not immediately possible, set the sendmail executable path using the environment variable OPENPROJECT_SENDMAIL__LOCATION, which makes the setting read-only and prevents modification through the web interface. Also, restrict administrator privileges carefully to trusted users only, as the vulnerability requires administrator access to exploit. [1, 2]