CVE-2026-32698

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.9 OpenProject versions prior to 17.0.6 OpenProject versions prior to 17.1.3 OpenProject versions prior to 17.2.1

Description OpenProject is a web-based project management software. The application is susceptible to an SQL injection issue through the name of a custom field. When this custom field is used in a Cost Report, the name is incorporated into an SQL query without sufficient sanitization, potentially allowing an attacker to execute arbitrary SQL commands during Cost Report generation. This vulnerability, combined with another issue in the Repositories module, could allow an attacker to checkout a git repository to an arbitrarily chosen path on the server, and potentially inject ruby code into the application upon restart if the checkout occurs within specific paths. The attack surface is limited as custom fields require full administrator privileges to create.

Recommendations Update OpenProject to version 16.6.9 or later. Update OpenProject to version 17.0.6 or later. Update OpenProject to version 17.1.3 or later. Update OpenProject to version 17.2.1 or later.