Arbitrary File Read Vulnerability in OpenProject Project Management Software by OpenProject
CVE-2026-30234

6.5MEDIUM

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-30234?

OpenProject, a widely used open-source project management software, contains a vulnerability allowing authenticated users with BCF import permissions to exploit file path manipulation. Users can upload a specially crafted .bcf archive that alters the value in markup.bcf to point to sensitive local files, such as system configurations or user data. This manipulation enables unauthorized access to filesystem content outside the designated ZIP scope, resulting in potential information leakage. The issue has been addressed in version 17.2.0, highlighting the importance of updating to secure versions.

Affected Version(s)

openproject < 17.2.0

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-30234 Data

JSON

Opf

What is CVE-2026-30234?

Affected Version(s)

References

CVSS V3.1

Timeline