Description
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually.
Published: 2026-01-10
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Local File Read leading to arbitrary access to sensitive files
Action: Immediate Patch
AI Analysis

Impact

OpenProject contains a Local File Read flaw in the PDF export of work packages. An attacker who can upload attachments can craft an SVG file disguised as a PNG. When the work package is exported to PDF, ImageMagick resizes the injected image, triggering its text coder and allowing the attacker to read any local file the application process can access.

Affected Systems

All installations of OpenProject using ImageMagick for PDF export and running a version earlier than 16.6.4 are affected. The vulnerability is only exploitable if the user has permission to upload attachments to a work package that can later be exported to PDF.

Risk and Exploitability

The CVSS score is 9.1 and the EPSS estimation is below 1%, indicating low current exploitation probability. OpenProject is not listed in the CISA KEV catalog. The attack requires valid user credentials with attachment rights; no external network access is needed beyond the web interface. The impact would be read access to files such as /etc/passwd, configuration files, or private project data.

Generated by OpenCVE AI on April 18, 2026 at 07:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 16.6.4 or later.
  • If an upgrade is delayed, apply the vendor‑provided manual patch as described in the security advisory.
  • Restrict the upload and export permissions for work packages to only trusted users, and block SVG files from being processed for PDF export.

Generated by OpenCVE AI on April 18, 2026 at 07:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Sat, 10 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually.
Title OpenProject is Vulnerable to Arbitrary File Read via ImageMagick SVG Coder
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T20:07:53.470Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22600

cve-icon Vulnrichment

Updated: 2026-01-13T20:07:50.732Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T02:15:48.743

Modified: 2026-01-14T22:25:56.047

Link: CVE-2026-22600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses