Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.
Published: 2026-06-26
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenProject, a popular open‑source project management tool, contains a severe SQL injection flaw in the timestamps functionality. The flaw allows an attacker to manipulate the timestamps parameter used for baseline comparisons to inject arbitrary SQL into database queries. Successful exploitation could lead to data disclosure, tampering of work‑package history, or execution of database commands, thereby compromising the confidentiality and integrity of project data.

Affected Systems

The vulnerability affects OpenProject deployments running from any release prior to 17.3.3 and 17.4.1. Attackers can target the baseline comparison API exposed through the timestamps field, which is part of the OpenProject core library provided by opf:openproject.

Risk and Exploitability

With a CVSS score of 9.9 the flaw is considered critical. The absence of an EPSS score indicates no publicly available exploitation data, and the vulnerability is not yet catalogued in the CISA KEV list. Nevertheless the well‑documented attack surface—in a web form or API—suggests a realistic web‑based exploitation path. If left unpatched, an attacker could achieve persistent data access or manipulation with minimal prerequisites.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenProject 17.3.3 or 17.4.1 or later, which removes the vulnerable code.
  • If an immediate upgrade is not possible, restrict or validate the timestamps parameter by disabling the baseline comparison feature for unauthenticated users or filtering input to allow only permitted values.
  • Configure logging and monitoring on the OpenProject instance to detect anomalous SQL injection attempts targeting the timestamps endpoint.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.
Title OpenProject: SQL injection in timestamps functionality
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:54:03.858Z

Reserved: 2026-06-08T17:13:43.066Z

Link: CVE-2026-52785

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')