Login Sign Up

CVE-2026-25763

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

OpenProject versions before 16.6.7 and 17.0.3 contain an arbitrary file write vulnerability that can lead to remote code execution. Attackers with repository browsing permissions can inject git log options to write files anywhere the OpenProject process can access, potentially uploading malicious scripts. This affects all OpenProject deployments using vulnerable versions.

💻 Affected Systems

Products:
  • OpenProject
Versions: All versions before 16.6.7 and 17.0.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires :browse_repository permission on a project

📦 What is this software?

Openproject by Openproject

View all CVEs affecting Openproject →

Openproject by Openproject

View all CVEs affecting Openproject →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via reverse shell, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Arbitrary file creation/overwrite leading to service disruption, data manipulation, or limited RCE within application context.

🟢

If Mitigated

File write limited to non-critical locations if proper file permissions and sandboxing are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with repository permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.6.7 or 17.0.3

Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7

Restart Required: Yes

Instructions:

1. Backup your OpenProject installation and database. 2. Update to OpenProject 16.6.7 (for 16.x branch) or 17.0.3 (for 17.x branch). 3. Restart the OpenProject service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Repository Permissions

all

Temporarily remove :browse_repository permissions from all users except absolutely necessary administrators

Application Firewall Rules

all

Block access to /projects/*/repository/changes endpoint at web application firewall or reverse proxy level

🧯 If You Can't Patch

  • Implement strict file system permissions to limit OpenProject process write access
  • Deploy network segmentation to isolate OpenProject from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check OpenProject version via admin interface or by examining package version

Check Version:

For Docker: docker exec openproject bundle exec rails runner "puts OpenProject::VERSION.to_s"

Verify Fix Applied:

Confirm version is 16.6.7 or higher (16.x branch) or 17.0.3 or higher (17.x branch)

📡 Detection & Monitoring

Log Indicators:

  • Unusual git log commands with --output parameter
  • File write operations in unexpected locations by OpenProject process

Network Indicators:

  • HTTP POST requests to /projects/*/repository/changes with suspicious rev parameters

SIEM Query:

source="openproject" AND (uri_path="/repository/changes" AND (query="*--output*" OR query="*rev=*"))

📊 Metadata

CVE ID: CVE-2026-25763
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 0.05% exploit probability (16.7th percentile)
Published: February 6, 2026
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25763, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)