CVE-2026-24685

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.6 OpenProject versions prior to 17.0.2

Description OpenProject is a web-based project management software. A file write issue exists in the repository diff download endpoint (/projects/:project id/repository/diff.diff) when rendering a single revision via git show. By providing a crafted rev value, such as rev=--output=/tmp/poc.txt, an attacker can inject git show command-line options. This allows the OpenProject process to execute the SCM command, interpreting the attacker-controlled rev as an option and writing output to a path chosen by the attacker. Any user with the :browse repository permission on the project can create or overwrite arbitrary files the OpenProject process user is permitted to write. Overwriting application or configuration files can lead to data loss and denial of service.

Recommendations Update to OpenProject version 16.6.6 or later. Update to OpenProject version 17.0.2 or later.