CVE-2026-22601
Unknown Unknown - Not Provided
Command Injection in OpenProject Admin Email Configuration (Pre

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22601
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
opf openproject to 16.6.2 (exc)
opf openproject 16.6.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22601 is a command injection vulnerability in OpenProject versions 16.6.1 and below. A registered administrator can exploit this flaw by configuring the 'System path to sendmail' setting with malicious input. When the application sends a test email, it executes this input in a Linux shell without proper sanitization, allowing the attacker to run arbitrary commands on the underlying system with high privileges. [2]

Impact Analysis

This vulnerability can have a severe impact as it allows an attacker with administrator access to execute arbitrary commands on the server hosting OpenProject. This can lead to full system compromise, including unauthorized access to sensitive data, disruption of services, and potential further exploitation of the network. The CVSS score of 8.6 indicates a high impact on confidentiality, integrity, and availability. [2]

Detection Guidance

To detect this vulnerability, check if your OpenProject instance is version 16.6.1 or below and if the 'System path to sendmail' setting under Administration β†’ Emails and Notifications β†’ Mail Notification is configurable by an administrator. You can verify the OpenProject version by running a command like `dpkg -l | grep openproject` or checking the application UI. Additionally, inspect the sendmail path setting for suspicious command injection patterns. Since the vulnerability involves command injection via the sendmail path, monitoring logs for unusual command executions or email sending failures may help. There are no specific commands provided to detect exploitation, but verifying the version and configuration is key. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading OpenProject to version 16.6.2 or later, where the vulnerability is patched. If upgrading is not immediately possible, set the sendmail executable path using the environment variable OPENPROJECT_SENDMAIL__LOCATION, which makes the setting read-only and prevents modification through the web interface. Also, restrict administrator privileges carefully to trusted users only, as the vulnerability requires administrator access to exploit. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart