Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the <Snapshot> value in markup.bcf is manipulated to contain an absolute or traversal local path (for example: /etc/passwd or ../../../../etc/passwd). During import, this untrusted <Snapshot> value is used as file.path during attachment processing. As a result, local filesystem content can be read outside the intended ZIP scope. This results in an Arbitrary File Read (AFR) within the read permissions of the OpenProject application user. This vulnerability is fixed in 17.2.0.
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The vulnerability enables authenticated users with BCF import permissions to upload a crafted .bcf file containing a &lt;Snapshot&gt; element that specifies an absolute or traversal path. During import, the application uses this untrusted value directly as a file path for attachment processing, allowing the reader to access files outside the intended ZIP scope. Because the attack exploits path traversal (CWE‑22), it results in an Arbitrary File Read of any file readable by the OpenProject application user, potentially exposing sensitive system configuration or user data.

Affected Systems

The defect is present in all OpenProject releases prior to version 17.2.0. The software vendor’s CNA lists the affected vendor as opf:openproject, with the product name OpenProject. The vulnerability is fixed in release 17.2.0; any version before that is vulnerable.

Risk and Exploitability

The CVSS v3.1 base score of 6.5 indicates moderate severity. The EPSS score is below 1%, signalling a low likelihood of exploitation at this time. The vulnerability is not currently in the CISA KEV catalog. Exploitation requires an authenticated project member with BCF import rights; the attacker must create a malicious .bcf archive and upload it to trigger the path traversal. Because the attack is local to the application’s file system, it does not allow remote code execution, but can lead to confidentiality breaches if sensitive files are read.

Generated by OpenCVE AI on March 17, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.2.0 or later
  • Restrict BCF import permissions to trusted users to limit potential exploitation

Generated by OpenCVE AI on March 17, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Vendors & Products Openproject
Openproject openproject

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the <Snapshot> value in markup.bcf is manipulated to contain an absolute or traversal local path (for example: /etc/passwd or ../../../../etc/passwd). During import, this untrusted <Snapshot> value is used as file.path during attachment processing. As a result, local filesystem content can be read outside the intended ZIP scope. This results in an Arbitrary File Read (AFR) within the read permissions of the OpenProject application user. This vulnerability is fixed in 17.2.0.
Title OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Openproject Openproject
Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:18:50.762Z

Reserved: 2026-03-04T17:23:59.798Z

Link: CVE-2026-30234

cve-icon Vulnrichment

Updated: 2026-03-11T17:18:46.301Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:41.383

Modified: 2026-03-17T15:53:21.787

Link: CVE-2026-30234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:50Z

Weaknesses