CVE-2026-34717
Published: 02 April 2026
Summary
CVE-2026-34717 is a critical-severity SQL Injection (CWE-89) vulnerability in Openproject Openproject. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection by requiring validation mechanisms to sanitize or parameterize user inputs before embedding in SQL WHERE clauses.
Ensures timely identification, reporting, and patching of the specific SQL injection flaw in the =n operator as done in OpenProject 17.2.3.
Vulnerability scanning detects SQL injection issues like unparameterized user input in reporting modules for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web-based OpenProject app enables exploitation of public-facing applications (T1190) and direct manipulation of stored database contents via arbitrary SQL (T1565.001).
NVD Description
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.
Deeper analysisAI
CVE-2026-34717 is a SQL injection vulnerability (CWE-89) affecting OpenProject, an open-source web-based project management software. In versions prior to 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb at line 177 embeds user input directly into SQL WHERE clauses without parameterization, allowing malicious SQL payloads to be executed. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and potential for high impact on integrity and availability.
Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network without user interaction. By crafting inputs for the =n operator in reporting modules, attackers can inject arbitrary SQL, enabling them to manipulate database contents (high integrity impact), disrupt service availability (high availability impact), and potentially access limited confidential data (low confidentiality impact), with the scope expanding to affect the entire application due to changed scope (S:C).
The issue has been addressed in OpenProject version 17.2.3, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 17.2.3 or later and review access controls for reporting features to mitigate exposure until patching is complete. Relevant details are available at https://github.com/opf/openproject/releases/tag/v17.2.3 and https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364.
Details
- CWE(s)