The vulnerability is a classic SQL injection that occurs when the name of a custom field is incorporated directly into a database query used to generate a Cost Report. By injecting malicious SQL through the custom field name, an attacker can execute arbitrary SQL commands against the database. Because the application also includes a second flaw that allows a git repository to be checked out to an arbitrary filesystem location when the project identifier is unsanitized, the attacker can chain these flaws. The first flaw enables the attacker to use the SQL injection to modify the project identifier, and the second flaw allows writing a malicious git repository to a location that, after a server restart, injects Ruby code into the OpenProject application. Together, these issues lead to remote code execution. The primary weakness is identified as CWE-89 (SQL Injection).

This flaw exists in opf:openproject. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are affected. The CPE stubs show that the vulnerability impacts any release versions called 16.*, 17.0.*, 17.1.*, or 17.2.*, especially since 17.2.0 is listed. The fixes are included in the aforementioned patched releases.

The CVSS base score is 9.1, indicating a high severity attack that can compromise confidentiality, integrity, and availability. The EPSS score of less than 1% suggests a low probability of exploitation in the near term. The flaw is not in the CISA KEV catalog, implying no known active exploits. The attack vector requires web access to the application and the presence of an administrator who can create a custom field. Therefore, while the exploit could lead to full system compromise, the limited threat surface (only admins can create the vulnerable custom field) reduces the likelihood of success. If an attacker attains administrative rights, chaining the two vulnerabilities provides a straightforward path to remote code execution.