CVE-2026-25763
Published: 06 February 2026
Summary
CVE-2026-25763 is a critical-severity OS Command Injection (CWE-78) vulnerability in Openproject Openproject. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the command injection flaw by applying vendor patches in OpenProject versions 16.6.7 and 17.0.3.
Validates and sanitizes the attacker-controlled 'rev' parameter to block injection of git log options like --output leading to arbitrary file writes.
Enforces least privilege on the OpenProject process user, restricting the paths and impact of arbitrary file writes and subsequent RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing OpenProject web app (/repository/changes endpoint) directly enables T1190; resulting RCE via crafted git log output and shell script embedding enables T1059.004 Unix Shell for reverse shells; arbitrary file write and post-RCE file access (e.g. /etc/passwd) enables T1005 Data from Local System.
NVD Description
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted…
more
rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3.
Deeper analysisAI
CVE-2026-25763 is an arbitrary file write vulnerability in OpenProject, an open-source web-based project management software. The issue affects versions prior to 16.6.7 and 17.0.3, stemming from improper handling of the "rev" parameter in the repository changes endpoint (/projects/:project_id/repository/changes) when rendering the "latest changes" view using git log. Attackers can supply a specially crafted rev value, such as rev=--output=/tmp/poc.txt, to inject git log command-line options. This causes Git to interpret the attacker-controlled input as an option and write output to an arbitrary path writable by the OpenProject process user. The vulnerability is rated at CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-78 (OS Command Injection).
Any authenticated user with the :browse_repository permission on a project can exploit this vulnerability. By injecting options into the git log command, they can create or overwrite files with git log output. Furthermore, by crafting custom commits, attackers can embed valid shell scripts into the output, enabling remote code execution (RCE). Successful RCE allows attackers to establish a reverse shell to the target host and access confidential files outside OpenProject, such as /etc/passwd.
The vulnerability has been patched in OpenProject versions 16.6.7 and 17.0.3. Official mitigation details are available in the project's GitHub security advisory (GHSA-x37c-hcg5-r5m7) and release notes for the patched versions at https://github.com/opf/openproject/releases/tag/v16.6.7 and https://github.com/opf/openproject/releases/tag/v17.0.3. Security practitioners should upgrade affected installations immediately to prevent exploitation.
Details
- CWE(s)