CVE-2026-24685
📋 TL;DR
OpenProject versions before 16.6.6 and 17.0.2 have a command injection vulnerability that allows authenticated users with repository browsing permissions to write arbitrary files. Attackers can inject git command-line options through the revision parameter, causing the system to write git output to any location the OpenProject process can access. This can lead to data loss, denial of service, or potential remote code execution.
💻 Affected Systems
- OpenProject
📦 What is this software?
Openproject by Openproject
Openproject by Openproject
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through overwriting critical configuration files, installation of backdoors, or remote code execution by writing malicious scripts to executable locations.
Likely Case
Denial of service through overwriting application files, data corruption, or limited remote code execution by writing to web-accessible directories.
If Mitigated
Limited impact if proper file permissions restrict OpenProject process write access to sensitive directories and regular backups are maintained.
🎯 Exploit Status
Exploit requires authenticated access but is trivial to execute with proper permissions. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.6.6 or 17.0.2
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-74p5-9pr3-r6pw
Restart Required: Yes
Instructions:
1. Backup your OpenProject installation and database. 2. Update to OpenProject 16.6.6 (for 16.x branch) or 17.0.2 (for 17.x branch). 3. Restart the OpenProject service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable repository browsing
allTemporarily remove :browse_repository permissions from all users to prevent exploitation
UPDATE roles SET permissions = array_remove(permissions, ':browse_repository') WHERE ':browse_repository' = ANY(permissions);
Restrict Git repository access
allDisable Git repository integration in OpenProject settings
🧯 If You Can't Patch
- Implement strict file system permissions to limit OpenProject process write access to only necessary directories
- Deploy web application firewall (WAF) rules to block requests containing suspicious git command-line options in parameters
🔍 How to Verify
Check if Vulnerable:
Check OpenProject version via admin interface or run: openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'Check Version:
openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'Verify Fix Applied:
Confirm version is 16.6.6 or higher (for 16.x) or 17.0.2 or higher (for 17.x)📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in application logs
- Requests to /projects/*/repository/diff.diff with rev parameter containing --output= or other git options
- Error logs showing file permission denied for unexpected paths
Network Indicators:
- HTTP POST/GET requests with rev parameter containing command-line injection patterns
SIEM Query:
source="openproject.log" AND ("rev=--output=" OR "git show" AND error)