Description
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.
Published: 2026-01-28
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

OpenProject versions prior to 16.6.6 and 17.0.2 contain a command‑line argument injection flaw in the repository diff download endpoint when rendering a single revision via git show. A crafted rev parameter such as rev=--output=/tmp/poc.txt causes the underlying Git command to treat the attacker‑controlled value as an option and write its output to a user‑specified path. The write operation runs under the OpenProject process user, allowing creation or overwriting of any file the process can write, which can corrupt application or configuration files and lead to data loss or denial of service.

Affected Systems

The vulnerability affects installations of OpenProject, specifically any version older than 16.6.6 or 17.0.2. Any user possessing the :browse_repository permission on a project may trigger the flaw, regardless of other privileges.

Risk and Exploitability

The CVSS score of 9.4 signals critical severity, while an EPSS score of <1% indicates a low current exploitation probability. The vulnerability is not listed in CISA's KEV catalog. Attackers can exploit the flaw remotely via the web interface by providing a malicious rev parameter, provided they have repository browsing rights; the resulting arbitrary file write can compromise integrity and availability of the system.

Generated by OpenCVE AI on April 18, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenProject 16.6.6 or later 17.0.2 to receive the vendor patch.
  • Limit or remove the :browse_repository permission for users who do not need repository access.
  • Ensure the OpenProject process runs with the least privileges necessary and that writable directories have the minimum required permissions to reduce the impact of any remaining write operations.

Generated by OpenCVE AI on April 18, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Wed, 28 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.
Title OpenProject has Argument Injection on Repository module that allows Arbitrary File Write
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T17:54:14.053Z

Reserved: 2026-01-23T20:40:23.389Z

Link: CVE-2026-24685

cve-icon Vulnrichment

Updated: 2026-01-28T17:54:10.676Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T17:16:16.147

Modified: 2026-02-09T18:24:51.600

Link: CVE-2026-24685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses