SQL Injection Vulnerability in OpenProject by OpenProject
CVE-2026-32698
What is CVE-2026-32698?
OpenProject, an open-source web-based project management software, is prone to a SQL injection vulnerability that could allow an attacker to execute arbitrary SQL commands through a custom field's name during Cost Report generation. This vulnerability primarily affects versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. While the attack surface is somewhat mitigated since only full administrators can create custom fields, the flaw coupled with another issue in the Repositories_module could potentially enable an attacker to inject ruby code into the OpenProject application. This occurs by exploiting the unchecked project identifier to incorrectly generate paths for git repository checkouts. It is crucial for users of vulnerable versions to upgrade to the fixed versions to safeguard their systems.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
openproject < 16.6.9 < 16.6.9
openproject >= 17.0.0, < 17.0.6 < 17.0.0, 17.0.6
openproject >= 17.1.0, < 17.1.3 < 17.1.0, 17.1.3