Description
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
Published: 2026-01-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows a registered administrator to execute arbitrary system commands on the server running OpenProject. It stems from insufficient validation of the sendmail binary path that the application later uses when sending a test e‑mail. This introduces a command injection flaw (CWE‑77) that can lead to full control over the installation, data, and network.

Affected Systems

The flaw affects OpenProject 16.6.1 and older. The issue is tied to the administrative interface that permits configuration of the sendmail binary path and the ability to send test e‑mails. No other products or prior versions are cited as vulnerable.

Risk and Exploitability

The CVSS score is 8.6, indicating high severity. The EPSS score is below 1 %, pointing to a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers must have authenticated administrative privileges and can inject arbitrary commands once they set the sendmail path and trigger the test e‑mail function.

Generated by OpenCVE AI on April 18, 2026 at 07:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch, releasing OpenProject 16.6.2, which corrects the input validation flaw for the sendmail path.
  • Restrict or disable the ability to send test e‑mails to a small group of trusted administrators, or disable the feature entirely until the patch is installed.
  • Ensure that the sendmail binary path configuration cannot be altered by external input or that it is validated against a trusted whitelist; if the web UI still allows it, remove that configuration capability until the issue is resolved.

Generated by OpenCVE AI on April 18, 2026 at 07:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Mon, 12 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Sat, 10 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
Title OpenProject is Vulnerable to Code Execution in E-Mail function
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T19:16:44.111Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22601

cve-icon Vulnrichment

Updated: 2026-01-12T19:16:41.351Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T02:15:48.913

Modified: 2026-01-14T22:26:03.920

Link: CVE-2026-22601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses