CRITICAL🇵🇱 Wersja polska

CVE-2026-24685

CVSS 9.4v4.0pub. 2026-01-28upd. 2026-02-09

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Openproject

    APP
    Openproject
    < 16.6.617.0.0 – 17.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References

Related vulnerabilities

CVE-2026-34717CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OpenProject — operator =n bez parametryzacji zapytań

CVE-2026-32703CRITICAL9.0PL ✓ten sam produkt

Stored XSS w module Repositories aplikacji OpenProject

CVE-2026-32698CRITICAL9.1PL ✓ten sam produkt

SQL Injection w OpenProject umożliwiający zdalne wykonanie kodu Ruby

CVE-2026-25763CRITICAL9.4PL ✓ten sam produkt

OpenProject: command injection w endpointcie repozytorium prowadzący do RCE

CVE-2026-22600CRITICAL9.1PL ✓ten sam produkt

OpenProject — odczyt lokalnych plików przez SVG/ImageMagick przy eksporcie PDF