CVE-2026-22600

OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/opf/openproject/releases/tag/v16.6.4	Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

History

14 Jan 2026, 22:25

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openproject:openproject::::::::
References	~~() https://github.com/opf/openproject/releases/tag/v16.6.4 -~~	() https://github.com/opf/openproject/releases/tag/v16.6.4 - Release Notes
References	~~() https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh -~~	() https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh - Patch
First Time		Openproject openproject Openproject

10 Jan 2026, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-10 02:15

Updated : 2026-01-14 22:25

NVD link : CVE-2026-22600

Mitre link : CVE-2026-22600

CVE.ORG link : CVE-2026-22600

JSON object : View

Products Affected

openproject

openproject

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-22600", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 3.1}]}, "published": "2026-01-10T02:15:48.743", "references": [{"url": "https://github.com/opf/openproject/releases/tag/v16.6.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh", "tags": ["Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually."}], "lastModified": "2026-01-14T22:25:56.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F91D546-F062-436F-B174-02FCE95C2376", "versionEndExcluding": "16.6.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}