CVE-2026-22600 in openproject
Summary
by MITRE • 01/10/2026
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/15/2026
The vulnerability CVE-2026-22600 represents a critical local file read flaw within OpenProject's PDF export functionality, specifically affecting versions prior to 16.6.4. This vulnerability stems from the application's improper handling of image processing within its work package export system, creating a pathway for attackers to escalate privileges through malicious file uploads. The attack vector exploits the backend image processing engine ImageMagick, which processes uploaded attachments before PDF generation. When a specially crafted SVG file is disguised as a PNG attachment and later processed during PDF export, the vulnerability becomes exploitable, demonstrating a significant security gap in input validation and file type handling mechanisms.
The technical exploitation occurs through a sophisticated manipulation of the ImageMagick text: coder functionality, which allows attackers to execute arbitrary file reads by leveraging the image processing pipeline. The vulnerability specifically targets the work package attachment system where users can upload files that are later processed during PDF generation, creating a window of opportunity for attackers to access sensitive local files. The attack requires minimal privileges - only the ability to upload attachments to work packages, which many users possess within typical project management environments. This makes the vulnerability particularly dangerous as it can be exploited by users with relatively low-level access permissions, potentially exposing sensitive project data, system configuration files, and user credentials stored on the server.
The operational impact of this vulnerability extends beyond simple data exfiltration, as it enables attackers to access critical system information that could facilitate further exploitation or lateral movement within the network. Attackers can read system files such as /etc/passwd, project configuration data, and private project information, potentially leading to complete system compromise. The vulnerability affects the core functionality of OpenProject's collaboration features, where work packages serve as central data containers, making it particularly dangerous in enterprise environments where project data often contains sensitive business information. The exploit demonstrates a clear weakness in the application's security architecture, specifically in how it handles external file processing and validates file types during upload operations, aligning with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path) classifications.
Organizations utilizing OpenProject must implement immediate mitigation strategies to protect against this vulnerability, with the recommended approach being the upgrade to version 16.6.4 or later where the issue has been patched. The patch addresses the root cause by properly validating file types and implementing stricter input sanitization for image processing operations. For organizations unable to upgrade immediately, manual patching procedures should be implemented to modify the image processing pipeline and enforce proper file type validation. Security teams should also consider implementing network-based protections such as intrusion detection systems that can detect attempts to upload malicious SVG files, as well as monitoring for unusual file access patterns that might indicate exploitation attempts. The vulnerability highlights the importance of secure coding practices and proper input validation, particularly when dealing with external file processing in web applications, and aligns with ATT&CK technique T1074.001 (Data Staged) and T1566.001 (Phishing) as potential exploitation vectors in broader attack chains.