Platform
rails
Component
openproject
Fixed in
17.2.4
CVE-2026-34717 describes a SQL Injection vulnerability affecting OpenProject. The vulnerability allows an attacker to inject arbitrary SQL commands due to unsanitized user input in the =n operator, potentially leading to data breaches or unauthorized access. This affects OpenProject versions less than or equal to 17.2.3. The vulnerability is fixed in version 17.2.3.
CVE-2026-34717 in OpenProject represents a critical risk with a CVSS score of 9.9 due to a SQL injection vulnerability. Prior to version 17.2.3, the use of the '=n' operator in the source code allowed for the direct embedding of user-supplied data into SQL WHERE clauses without proper parameterization. This means an attacker could manipulate SQL queries, potentially extracting sensitive data from the database, modifying it, or even compromising the system's integrity. The severity of this vulnerability stems from its ease of exploitation and the potential damage it can inflict on the confidentiality, integrity, and availability of OpenProject data. The lack of parameterization is a common flaw that can be exploited by attackers, even those with limited security expertise.
The vulnerability resides within the reporting module of OpenProject, specifically in the operator.rb file. An attacker could exploit this vulnerability by sending malicious data through the user interface that is processed without adequate validation. This malicious data is then directly injected into the SQL query, allowing the attacker to control the query's logic. Successful exploitation typically requires the attacker to have the ability to send data through the OpenProject user interface, generally implying a valid user account. However, inadequate authentication or authorization could potentially allow an unauthenticated attacker to exploit the vulnerability.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The solution to mitigate CVE-2026-34717 is to upgrade OpenProject to version 17.2.3 or higher. This version includes a fix that implements proper parameterization of SQL queries, preventing the injection of malicious code. Until the upgrade is performed, consider implementing additional security measures such as restricting database access, implementing firewalls, and monitoring for suspicious activity. Thorough testing should be conducted after the upgrade to ensure the fix has been applied correctly and has not introduced new issues. Reviewing organizational security policies and training personnel on security best practices is also recommended to prevent future incidents.
Update OpenProject to version 17.2.3 or higher. This version fixes the SQL Injection vulnerability. The update can be performed through the OpenProject administration panel or by following the upgrade instructions provided by the vendor.
Vulnerability analysis and critical alerts directly to your inbox.
SQL injection is an attack technique that allows attackers to manipulate SQL queries to gain unauthorized access to data or modify the database.
A CVSS score of 9.9 indicates a critical vulnerability, meaning it is highly likely to be exploited and can cause significant damage.
If you cannot upgrade immediately, implement additional security measures such as restricting database access and monitoring for suspicious activity.
Vulnerability scanning tools can detect SQL injection vulnerabilities. Consult with your security provider for recommendations.
You can find more information about CVE-2026-34717 in the NIST National Vulnerability Database.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.