CVE-2026-30234
Received Received - Intake
Arbitrary File Read in OpenProject BCF Import Component

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the <Snapshot> value in markup.bcf is manipulated to contain an absolute or traversal local path (for example: /etc/passwd or ../../../../etc/passwd). During import, this untrusted <Snapshot> value is used as file.path during attachment processing. As a result, local filesystem content can be read outside the intended ZIP scope. This results in an Arbitrary File Read (AFR) within the read permissions of the OpenProject application user. This vulnerability is fixed in 17.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30234
EUVD
EUVD-2026-11202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject to 17.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30234 is a moderate severity vulnerability in OpenProject versions prior to 17.2.0, specifically in the BIM BCF XML Import feature.

An authenticated project member with BCF import permissions can upload a crafted .bcf archive where the <Snapshot> element in the markup.bcf file is manipulated to contain an absolute or directory traversal path (for example, /etc/passwd or ../../../../etc/passwd).

During the import process, this manipulated <Snapshot> value is used as a file path for attachment processing without proper validation, allowing the attacker to read arbitrary local files on the server within the file read permissions of the OpenProject application user.

The attack requires low privileges and no user interaction, and it impacts confidentiality by allowing unauthorized local file disclosure.

Impact Analysis

This vulnerability can impact you by allowing an authenticated project member with BCF import permissions to read arbitrary local files on the server where OpenProject is running.

Since the attacker can access files outside the intended ZIP scope, sensitive information stored on the server could be exposed, leading to a breach of confidentiality.

The vulnerability does not affect the integrity or availability of the system but compromises the confidentiality of local filesystem content accessible to the OpenProject application user.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to version 17.2.0 or later, where the issue has been fixed.

Additionally, restrict BCF import permissions to trusted users only, as exploitation requires authenticated project members with these permissions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart