CVE-2026-22601
Published: 10 January 2026
Summary
CVE-2026-22601 is a high-severity Command Injection (CWE-77) vulnerability in Openproject Openproject. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web app directly enables RCE (T1190) via Unix shell (T1059.004) for authenticated admin.
NVD Description
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
Deeper analysisAI
CVE-2026-22601 is a command injection vulnerability (CWE-77) in OpenProject, an open-source web-based project management software. It affects versions 16.6.1 and below, where a registered administrator can execute arbitrary commands by configuring the sendmail binary path and sending a test email.
A registered administrator (PR:H) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no additional user interaction (UI:N). Exploitation allows arbitrary command execution on the server, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with an unchanged scope (S:U) and a CVSS v3.1 base score of 7.2.
The issue has been patched in OpenProject version 16.6.2. Mitigation details are available in the release notes at https://github.com/opf/openproject/releases/tag/v16.6.2 and the security advisory at https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc.
Details
- CWE(s)