Platform
ruby
Component
openproject
Fixed in
16.6.10
17.0.1
17.1.1
17.2.1
CVE-2026-32698 describes a critical SQL injection vulnerability affecting OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. This flaw allows attackers to inject malicious SQL commands during the generation of Cost Reports, potentially compromising sensitive data. The vulnerability is triggered by improper sanitization of custom field names when used within Cost Reports, requiring administrator privileges for custom field creation, which slightly reduces the attack surface. A fix is available in version 16.6.9.
Successful exploitation of CVE-2026-32698 allows an attacker to execute arbitrary SQL commands within the OpenProject database. This could lead to unauthorized access, modification, or deletion of project data, including user credentials, project plans, and financial information. The impact is particularly severe as the attacker could potentially gain full control over the OpenProject instance. The description mentions a related bug in the Repositories_module, suggesting a broader potential attack surface. While custom field creation requires administrator privileges, a compromised administrator account would grant an attacker complete control.
CVE-2026-32698 was published on 2026-03-18. The vulnerability's CRITICAL CVSS score (9.1) indicates a high potential for exploitation. Public proof-of-concept (PoC) code is currently unavailable, but the SQL injection nature of the vulnerability makes it likely that PoCs will emerge. It is not currently listed on CISA KEV, but its severity warrants close monitoring.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32698 is to upgrade OpenProject to version 16.6.9 or later. If an immediate upgrade is not feasible, consider restricting access to Cost Report generation to trusted users only. Implement strict input validation on custom field names to prevent malicious characters from being injected into SQL queries. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Monitor OpenProject logs for suspicious SQL queries or database activity.
Update OpenProject to version 16.6.9, 17.0.6, 17.1.3 or 17.2.1, or a later version. These versions fix the SQL injection (SQL Injection) vulnerability in a custom field name and the related vulnerability in the Repositories module.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32698 is a critical SQL injection vulnerability in OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, allowing attackers to execute SQL commands via custom field names in Cost Reports.
You are affected if you are running OpenProject versions ≤ 17.2.0 and < 17.2.1. Check your OpenProject version and upgrade immediately if vulnerable.
Upgrade OpenProject to version 16.6.9 or later. Restrict access to Cost Report generation and implement input validation as temporary mitigations.
While no active exploitation has been confirmed, the vulnerability's severity and SQL injection nature make it a likely target for attackers.
Refer to the OpenProject security advisories page for the latest information and updates regarding CVE-2026-32698: [https://www.openproject.org/security-advisories/](https://www.openproject.org/security-advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.