CVE-2026-24685
Unknown Unknown - Not Provided
Arbitrary File Write in OpenProject Repository Diff Endpoint

Publication date: 2026-01-28

Last updated on: 2026-02-09

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-02-09
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24685
EUVD
EUVD-2026-4879
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject From 17.0.0 (inc) to 17.0.2 (exc)
openproject openproject to 16.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in OpenProject allows an attacker with browse_repository permission to perform arbitrary file writes by injecting command-line options into the git show command used in the repository diff download endpoint. By crafting a special revision parameter, the attacker can cause git to write output to a file path of their choosing, potentially overwriting files that the OpenProject process user can write to.


How can this vulnerability impact me? :

The vulnerability can lead to data loss and denial of service by overwriting application or configuration files, impacting the integrity and availability of the OpenProject system. An attacker could create or overwrite arbitrary files, potentially disrupting normal operations or corrupting important data.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade OpenProject to version 17.0.2 or 16.6.6 or later, as these versions contain the fix for the arbitrary file write issue. Additionally, review and restrict the permissions for users with the ':browse_repository' permission to minimize risk until the upgrade is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart