CVE-2026-22600

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.4

Description OpenProject is a web-based project management software. A Local File Read issue exists in the work package PDF export functionality. By uploading a specially crafted SVG file disguised as a PNG as a work package attachment, an attacker can exploit the backend image processing engine, ImageMagick. When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access, such as /etc/passwd, project configuration files, and private project data. The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package.

Recommendations Upgrade to version 16.6.4 or later. If upgrading is not possible, apply the patch manually.