CVE-2026-22601 in openproject
Summary
by MITRE • 01/10/2026
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/15/2026
The vulnerability identified as CVE-2026-22601 affects OpenProject version 16.6.1 and earlier, representing a critical command injection flaw that allows authenticated administrators to execute arbitrary system commands. This vulnerability stems from insufficient input validation within the email configuration functionality, specifically when setting the sendmail binary path. The flaw enables a malicious administrator with valid credentials to manipulate the system's command execution flow by crafting specially formatted input that gets passed directly to the underlying operating system without proper sanitization.
The technical implementation of this vulnerability involves the improper handling of user-supplied data within the email configuration parameters. When an administrator configures the sendmail binary path and subsequently triggers a test email function, the system processes the input without adequate sanitization or validation. This creates an environment where command injection occurs, allowing the attacker to execute arbitrary shell commands with the privileges of the web application user. The vulnerability is categorized under CWE-78 as improper neutralization of special elements used in OS commands, which directly maps to the insecure handling of system command execution paths.
The operational impact of this vulnerability is severe and far-reaching for organizations relying on OpenProject for project management. An authenticated administrator can leverage this flaw to gain complete control over the underlying system, potentially leading to data exfiltration, system compromise, or further lateral movement within the network. The vulnerability essentially provides a backdoor for privilege escalation, allowing attackers to execute commands such as file manipulation, process termination, or even establish persistent access through reverse shell creation. This threat is particularly concerning in environments where OpenProject is deployed on shared infrastructure or where the web application runs with elevated privileges.
Organizations should immediately upgrade to OpenProject version 16.6.2 or later to remediate this vulnerability. The patch addresses the input validation issues by implementing proper sanitization of the sendmail binary path parameter and ensuring that user-supplied data cannot be interpreted as shell commands. Additional mitigations include implementing strict access controls to limit administrator privileges, monitoring email configuration changes, and conducting regular security assessments of web applications. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 Command and Scripting Interpreter: Shell Script and T1566.001 Phishing: Spearphishing Attachment, as it enables attackers to execute malicious commands through compromised administrative accounts. The vulnerability also highlights the importance of principle of least privilege and proper input validation in web application security, aligning with security standards that emphasize secure coding practices and defense-in-depth strategies to prevent command injection attacks.