OpenProject RCE (CVE-2026-32698)

Overview

A critical security vulnerability, tracked as CVE-2026-32698, has been identified in OpenProject, a widely used open-source project management platform. This flaw allows authenticated users with full administrator privileges to execute arbitrary SQL commands, which can be chained with a separate path traversal bug to ultimately achieve remote code execution on the server.

Vulnerability Details

The vulnerability is an SQL injection flaw located in the Cost Report feature. Specifically, when a custom field (which can only be created by an administrator) is used in a Cost Report, its name is not properly sanitized before being included in an SQL query. This allows a malicious administrator to inject and execute arbitrary SQL commands.

This SQL injection can be exploited to modify a project’s identifier in the database. When combined with a separate, pre-existing bug in the Repositories module-where the project identifier is used unsanitized to construct a filesystem path for a Git checkout-an attacker can write a Git repository to an arbitrary location on the server. If this location is within the OpenProject application directory, it can lead to the execution of arbitrary Ruby code when the application restarts.

Impact

The impact of this vulnerability is severe (CVSS score: 9.1). Successful exploitation could allow an attacker with administrative access to:

• Execute arbitrary commands on the underlying operating system.
• Gain complete control of the OpenProject server.
• Access, modify, or delete sensitive project data and user information.
• Use the compromised server as a foothold for further attacks within the network.

For context on the risks of such breaches, recent incidents are detailed in our breach reports.

Affected Versions

All OpenProject versions prior to the following are vulnerable:

• 16.6.9
• 17.0.6
• 17.1.3
• 17.2.1

Remediation and Mitigation

The only complete solution is to immediately upgrade your OpenProject installation to a patched version. Apply the relevant fix based on your current series:

• Upgrade to version 16.6.9, 17.0.6, 17.1.3, or 17.2.1.

Immediate Action Steps:

1. Patch: Apply the relevant update from the official OpenProject release channels without delay.
2. Audit: Review administrator user accounts and audit logs for any suspicious activity, especially related to custom field creation or Cost Report generation.
3. Principle of Least Privilege: Strictly limit the number of users with full administrator privileges to reduce the attack surface.

There are no effective workarounds for this vulnerability; patching is mandatory. Stay informed on emerging threats by following our security news coverage. System administrators should treat this vulnerability as critical and prioritize this update to prevent potential system compromise.