Plattform
ruby
Komponente
openproject
Behoben in
16.6.10
17.0.1
17.1.1
17.2.1
CVE-2026-32698 describes a critical SQL injection vulnerability affecting OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. This flaw allows attackers to inject malicious SQL commands during the generation of Cost Reports, potentially compromising sensitive data. The vulnerability is triggered by improper sanitization of custom field names when used within Cost Reports, requiring administrator privileges for custom field creation, which slightly reduces the attack surface. A fix is available in version 16.6.9.
The primary impact of CVE-2026-32698 is the potential for unauthorized access and modification of sensitive data stored within the OpenProject database. An attacker could leverage this SQL injection to extract user credentials, project details, financial information (via Cost Reports), and other confidential data. The vulnerability's exploitation is further amplified by the possibility of chaining it with another bug in the Repositories_module, potentially enabling broader system compromise. Successful exploitation could lead to data exfiltration, denial of service, or even complete database takeover, depending on the attacker's skill and the database permissions.
CVE-2026-32698 was publicly disclosed on March 18, 2026. The vulnerability's criticality (CVSS score of 9.1) and the potential for significant data compromise suggest a high probability of exploitation. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of SQL injection exploitation often leads to rapid PoC development and potential exploitation in the wild. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations using OpenProject for project management, particularly those with custom fields and Cost Reports enabled, are at risk. Environments with limited access controls or where administrator privileges are broadly granted are especially vulnerable. Shared hosting environments running OpenProject should be carefully assessed.
• linux / server:
journalctl -u openproject -g "SQL injection"• generic web:
curl -I 'https://<openproject_url>/cost_reports?custom_field_name=<sqli_payload>' | grep 'SQL injection'disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32698 is to immediately upgrade OpenProject to version 16.6.9 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation on custom field names within Cost Reports as a temporary workaround. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts can also provide an additional layer of defense. Monitor OpenProject logs for suspicious SQL queries, particularly those involving custom field names. After upgrading, confirm the fix by generating a Cost Report with a custom field and verifying that the SQL query does not contain any injected code.
Aktualisieren Sie OpenProject auf Version 16.6.9, 17.0.6, 17.1.3 oder 17.2.1 oder eine spätere Version. Diese Versionen beheben die (SQL Injection)-Schwachstelle im Namen eines benutzerdefinierten Feldes und die damit zusammenhängende Schwachstelle im (Repositories)-Modul.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32698 is a critical SQL injection vulnerability in OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, allowing attackers to execute SQL commands via custom field names in Cost Reports.
You are affected if you are running OpenProject versions ≤ 17.2.0 and < 17.2.1. Check your OpenProject version and upgrade immediately if vulnerable.
Upgrade OpenProject to version 16.6.9 or later. Restrict access to Cost Report generation and implement input validation as temporary mitigations.
While no active exploitation has been confirmed, the vulnerability's severity and SQL injection nature make it a likely target for attackers.
Refer to the OpenProject security advisories page for the latest information and updates regarding CVE-2026-32698: [https://www.openproject.org/security-advisories/](https://www.openproject.org/security-advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.