CVE-2026-32698

Received Received - Intake

SQL Injection in OpenProject Enables Remote Code Execution

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced. Together with another bug in the Repositories_module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application. As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-18

Last Modified

2026-03-19

Generated

2026-06-16

AI Q&A

2026-03-19

EPSS Evaluated

2026-06-15

NVD

CVE-2026-32698

EUVD

EUVD-2026-12966

Affected Vendors & Products

Vendor	Product	Version / Range
openproject	openproject	to 16.6.9 (exc)
openproject	openproject	From 17.0.0 (inc) to 17.0.6 (exc)
openproject	openproject	From 17.1.0 (inc) to 17.1.3 (exc)
openproject	openproject	17.2.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability affects OpenProject, an open-source web-based project management software. It is an SQL injection attack that occurs via a custom field's name when used in a Cost Report. The custom field's name is injected into the SQL query without proper sanitation, allowing an attacker to execute arbitrary SQL commands during report generation.

Since custom fields can only be created by users with full administrator privileges, the attack surface is somewhat limited. However, combined with another bug in the Repositories module, which uses the project identifier without sanitation to generate the checkout path for a git repository on the filesystem, an attacker can checkout a git repository to an arbitrary path on the server.

If the checkout occurs within certain paths of the OpenProject application, upon the next restart, the attacker can inject Ruby code into the application. The project identifier cannot be manually edited to include special characters, so this must be done via the SQL injection vulnerability.

The issue is fixed in versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 of OpenProject.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands, which can lead to data leakage, data corruption, or unauthorized data modification.

Additionally, by exploiting a related bug, an attacker can checkout a git repository to an arbitrary path on the server and inject malicious Ruby code into the OpenProject application. This can lead to remote code execution, potentially allowing full control over the application and underlying server.

Because the vulnerability requires administrator privileges to create custom fields, the risk is somewhat reduced but still significant if an attacker gains such privileges or exploits other vulnerabilities.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to one of the fixed versions: 16.6.9, 17.0.6, 17.1.3, or 17.2.1.

Since the vulnerability involves SQL injection via custom fields and arbitrary code injection through the Repositories module, applying the official patches in these versions is critical to prevent exploitation.

Hi! I’m here to help you understand CVE-2026-32698. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-32698

SQL Injection in OpenProject Enables Remote Code Execution

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart