CRITICAL🇵🇱 Wersja polska

CVE-2026-34717

CVSS 9.9v3.1pub. 2026-04-02upd. 2026-04-21

OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.

🤖 AI Analysis
How it works

The vulnerability is located in the file modules/reporting/lib/report/operator.rb (line 177), where the =n operator constructs SQL queries by directly embedding user data into the WHERE clause without using parameterization mechanisms (prepared statements). An authenticated user can provide specially crafted input data that will be interpreted as part of an SQL command. The network attack vector (AV:N) with low privileges (PR:L) and no user interaction (UI:N) means that only having an account in the application is sufficient to carry out the attack.

Impact

An attacker can gain unauthorized access to data stored in the database, modify or delete project information, and due to the changed scope (S:C), the impact may extend beyond the application itself. The vulnerability poses a high impact on system integrity and availability, as well as partial impact on data confidentiality.

Mitigation & patch

OpenProject should be updated to version 17.2.3 or later, in which the vulnerability has been removed. The patch is available in the official GitHub repository at https://github.com/opf/openproject/releases/tag/v17.2.3. Until the update is applied, it is recommended to restrict access to the reporting module only to trusted users.

Who is affected

OpenProject in versions prior to 17.2.3 (all installations based on the reporting module containing the vulnerable =n operator).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
  • Openproject

    APP
    Openproject
    < 17.2.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-32703CRITICAL9.0PL ✓ten sam produkt

Stored XSS w module Repositories aplikacji OpenProject

CVE-2026-32698CRITICAL9.1PL ✓ten sam produkt

SQL Injection w OpenProject umożliwiający zdalne wykonanie kodu Ruby

CVE-2026-25763CRITICAL9.4PL ✓ten sam produkt

OpenProject: command injection w endpointcie repozytorium prowadzący do RCE

CVE-2026-24685CRITICAL9.4PL ✓ten sam produkt

OpenProject: command injection w endpoincie diff repozytorium (zapis dowolnych plików)

CVE-2026-22600CRITICAL9.1PL ✓ten sam produkt

OpenProject — odczyt lokalnych plików przez SVG/ImageMagick przy eksporcie PDF