SQL Injection Vulnerability in OpenProject Web-Based Project Management Software
CVE-2026-52785

9.9CRITICAL

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-52785?

OpenProject, an open-source web-based project management software, contains a SQL injection vulnerability in its timestamps functionality that affects versions prior to 17.3.3 and 17.4.1. By exploiting this vulnerability, attackers can manipulate requests to access historic work-package attributes by using the timestamps parameter. To mitigate this risk, it is crucial for users to update to the patched versions 17.3.3 or 17.4.1.

Affected Version(s)

openproject < 17.3.3 < 17.3.3

openproject >= 17.4.0, < 17.4.1 < 17.4.0, 17.4.1

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52785 Data

JSON

Opf

What is CVE-2026-52785?

Affected Version(s)

References

CVSS V3.1

Timeline