CVE-2026-30234

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.2.0

Description OpenProject is a web-based project management software. Before version 17.2.0, an authenticated project member with BCF import permissions could upload a manipulated .bcf archive. The <Snapshot> value within the markup.bcf file could be altered to contain an absolute or traversal local path, such as '/etc/passwd' or '../../../../etc/passwd'. During import, this untrusted <Snapshot> value is used as file.path during attachment processing. This allows for arbitrary file reading (AFR) within the read permissions of the OpenProject application user, as local filesystem content can be read outside the intended ZIP scope.

Recommendations Update to version 17.2.0 or later.