Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.
Published: 2026-06-26
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenProject, a popular open‑source project management tool, contains a severe SQL injection flaw in the timestamps functionality. The flaw allows an attacker to manipulate the timestamps parameter used for baseline comparisons to inject arbitrary SQL into database queries. Successful exploitation could lead to data disclosure, tampering of work‑package history, or execution of database commands, thereby compromising the confidentiality and integrity of project data.

Affected Systems

The vulnerability affects OpenProject deployments running from any release prior to 17.3.3 and 17.4.1. Attackers can target the baseline comparison API exposed through the timestamps field, which is part of the OpenProject core library provided by opf:openproject.

Risk and Exploitability

With a CVSS score of 9.9 the flaw is considered critical. The absence of an EPSS score indicates no publicly available exploitation data, and the vulnerability is not yet catalogued in the CISA KEV list. Nevertheless the well‑documented attack surface—in a web form or API—suggests a realistic web‑based exploitation path. If left unpatched, an attacker could achieve persistent data access or manipulation with minimal prerequisites.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenProject 17.3.3 or 17.4.1 or later, which removes the vulnerable code.
  • If an immediate upgrade is not possible, restrict or validate the timestamps parameter by disabling the baseline comparison feature for unauthenticated users or filtering input to allow only permitted values.
  • Configure logging and monitoring on the OpenProject instance to detect anomalous SQL injection attempts targeting the timestamps endpoint.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.
Title OpenProject: SQL injection in timestamps functionality
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T15:20:26.732Z

Reserved: 2026-06-08T17:13:43.066Z

Link: CVE-2026-52785

cve-icon Vulnrichment

Updated: 2026-06-29T15:00:35.577Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:15:08Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')