CVE-2026-32698

Critical

Published: 18 March 2026

Published

18 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0004 11.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32698 is a critical-severity SQL Injection (CWE-89) vulnerability in Openproject Openproject. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of custom field names and project identifiers before use in SQL queries and filesystem paths, directly preventing SQL injection and path traversal.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the SQL injection and unsanitized path flaws through patching to versions that fix the vulnerabilities.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on special characters in inputs like custom field names and project identifiers to block injection payloads and path traversal attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing OpenProject web app directly enables T1190 exploitation; admin-to-RCE chain via malicious custom field and path manipulation constitutes T1068 priv esc; resulting arbitrary Ruby code execution on restart facilitates T1059.004 Unix Shell access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom…

field's name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced. Together with another bug in the Repositories_module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application. As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

Deeper analysisAI

OpenProject, an open-source web-based project management software, is affected by CVE-2026-32698, an SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. The flaw occurs when a custom field's name is used in a Cost Report, as the name is injected into the SQL query without proper sanitization, enabling arbitrary SQL command execution during report generation. Custom fields require full administrator privileges to create, which limits the initial attack surface.

An attacker with administrator privileges can exploit this by crafting a malicious custom field name to inject SQL payloads during Cost Report generation. This allows manipulation of the project identifier, which lacks sanitization in the Repositories module. By altering the identifier via SQL injection to include special characters like dots or slashes—normally not editable manually—the attacker can trigger a git repository checkout to an arbitrary filesystem path. If this path falls within specific OpenProject application directories, the next application restart executes injected Ruby code, achieving remote code execution.

The GitHub Security Advisory (GHSA-jqhf-rf9x-9rhx) details the issue and confirms that upgrading to OpenProject versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 resolves the SQL injection and related repository path traversal vulnerabilities through proper input sanitization.

Details

CWE(s): CWE-89

Affected Products

openproject

17.2.0 · ≤ 16.6.9 · 17.0.0 — 17.0.6 · 17.1.0 — 17.1.3

CVEs Like This One

CVE-2026-34717Same product: Openproject Openproject

CVE-2026-22601Same product: Openproject Openproject

CVE-2026-30239Same product: Openproject Openproject

CVE-2026-25763Same product: Openproject Openproject

CVE-2026-24685Same product: Openproject Openproject

CVE-2026-24775Same product: Openproject Openproject

CVE-2026-24772Same product: Openproject Openproject

CVE-2026-32703Same product: Openproject Openproject

CVE-2026-23625Same product: Openproject Openproject

CVE-2026-22600Same product: Openproject Openproject

References

https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx
Vendor Advisory · security-advisories@github.com