Description
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3.
Published: 2026-02-06
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenProject up to versions 16.6.7 and 17.0.3 contains an arbitrary file write flaw in the repository changes endpoint. By sending a crafted rev value such as rev=--output=/tmp/poc.txt, an attacker can inject git log options and force the OpenProject process to write data to a path of the attacker’s choice. With carefully composed commits, the attacker can place executable shell scripts as the file contents, resulting in remote code execution that allows creation of reverse shells and unrestricted reading of sensitive files like /etc/passwd.

Affected Systems

The vulnerability affects OpenProject web‑based project management software before releases 16.6.7 and 17.0.3. Any deployment running these earlier versions is susceptible; the issue is fixed in the stated patched releases.

Risk and Exploitability

The CVSS score of 9.4 indicates a high severity vulnerability, while the EPSS score of under 1% suggests low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who has :browse_repository permission on a project; the attacker then submits the crafted rev parameter to the changes endpoint, leading to file write and potentially code execution.

Generated by OpenCVE AI on April 17, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 16.6.7 or 17.0.3 or later to apply the vendor fix.
  • Restrict :browse_repository permission to trusted users only, minimizing the set of users who can trigger the vulnerable endpoint.
  • Implement monitoring or audit logging for writes to protected system paths and review for suspicious file modifications triggered by repository changes.

Generated by OpenCVE AI on April 17, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Fri, 06 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3.
Title Command Injection on OpenProject repositories leads to Remote Code Execution
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:26:34.992Z

Reserved: 2026-02-05T18:35:52.358Z

Link: CVE-2026-25763

cve-icon Vulnrichment

Updated: 2026-02-09T15:20:42.686Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T22:16:12.420

Modified: 2026-02-13T19:07:56.520

Link: CVE-2026-25763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses