CVE-2026-32698
SQL Injection in OpenProject Enables Remote Code Execution
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | to 16.6.9 (exc) |
| openproject | openproject | From 17.0.0 (inc) to 17.0.6 (exc) |
| openproject | openproject | From 17.1.0 (inc) to 17.1.3 (exc) |
| openproject | openproject | 17.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects OpenProject, an open-source web-based project management software. It is an SQL injection attack that occurs via a custom field's name when used in a Cost Report. The custom field's name is injected into the SQL query without proper sanitation, allowing an attacker to execute arbitrary SQL commands during report generation.
Since custom fields can only be created by users with full administrator privileges, the attack surface is somewhat limited. However, combined with another bug in the Repositories module, which uses the project identifier without sanitation to generate the checkout path for a git repository on the filesystem, an attacker can checkout a git repository to an arbitrary path on the server.
If the checkout occurs within certain paths of the OpenProject application, upon the next restart, the attacker can inject Ruby code into the application. The project identifier cannot be manually edited to include special characters, so this must be done via the SQL injection vulnerability.
The issue is fixed in versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 of OpenProject.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands, which can lead to data leakage, data corruption, or unauthorized data modification.
Additionally, by exploiting a related bug, an attacker can checkout a git repository to an arbitrary path on the server and inject malicious Ruby code into the OpenProject application. This can lead to remote code execution, potentially allowing full control over the application and underlying server.
Because the vulnerability requires administrator privileges to create custom fields, the risk is somewhat reduced but still significant if an attacker gains such privileges or exploits other vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenProject to one of the fixed versions: 16.6.9, 17.0.6, 17.1.3, or 17.2.1.
Since the vulnerability involves SQL injection via custom fields and arbitrary code injection through the Repositories module, applying the official patches in these versions is critical to prevent exploitation.