CVE-2026-24685
Published: 28 January 2026
Summary
CVE-2026-24685 is a high-severity Command Injection (CWE-77) vulnerability in Openproject Openproject. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes untrusted inputs like the 'rev' parameter to prevent command injection attacks exploiting git show options.
Remediates the specific arbitrary file write vulnerability by applying vendor patches released in OpenProject versions 16.6.6 and 17.0.2.
Enforces least privilege on the OpenProject process user to restrict writable paths, limiting the scope of arbitrary file writes even if injection occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing OpenProject web app (T1190) via crafted request to repository endpoint; resulting arbitrary file overwrite with git output directly facilitates data destruction by disrupting configs or critical files (T1485).
NVD Description
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted…
more
rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.
Deeper analysisAI
CVE-2026-24685 is an arbitrary file write vulnerability in OpenProject, an open-source web-based project management software. It affects versions prior to 16.6.6 and 17.0.2, specifically in the repository diff download endpoint at `/projects/:project_id/repository/diff.diff` when rendering a single revision using the `git show` command. An attacker can supply a specially crafted `rev` value, such as `rev=--output=/tmp/poc.txt`, to inject command-line options into `git show`. This causes Git to interpret the attacker-controlled `rev` as an option and write the command's output—consisting of commit metadata and patch data—to an attacker-chosen path writable by the OpenProject process user. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-77 (Command Injection).
Any authenticated user with the `:browse_repository` permission on a project can exploit this vulnerability remotely without user interaction. By accessing the diff endpoint with a malicious `rev` parameter, the attacker can create or overwrite arbitrary files accessible to the OpenProject process, such as application or configuration files. While the written content is limited to `git show` output, this still enables data loss and denial of service by disrupting critical files, compromising integrity and availability.
The issue has been fixed in OpenProject versions 16.6.6 and 17.0.2. For full details on the patch and mitigation, refer to the GitHub Security Advisory at https://github.com/opf/openproject/security/advisories/GHSA-74p5-9pr3-r6pw.
Details
- CWE(s)