CVE-2026-52785 in openproject
Summary
by MITRE • 06/26/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability identified in OpenProject versions prior to 17.3.3 and 17.4.1 represents a critical sql injection flaw within the timestamps functionality of this web-based project management platform. This security weakness specifically affects the baseline comparison feature that enables users to request historical work-package attributes through the timestamps parameter, creating an exploitable entry point for malicious actors seeking to manipulate database queries. The vulnerability stems from insufficient input validation and sanitization mechanisms applied to the timestamp parameter, allowing attackers to inject malicious sql code that can be executed within the underlying database system.
The technical implementation of this flaw occurs when the application processes user-supplied timestamp values without proper parameterization or filtering, directly incorporating these inputs into sql queries. This primitive approach to data handling creates a direct path for sql injection attacks where an attacker can manipulate the intended query structure and potentially execute unauthorized database operations. The vulnerability is particularly concerning because it operates within a legitimate feature designed for historical data retrieval, making it less likely to trigger security monitoring systems that might otherwise flag suspicious database activity. Attackers could leverage this weakness to extract sensitive information from the database, modify existing records, or potentially escalate privileges within the application's database environment.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable comprehensive database enumeration and exploitation capabilities. An attacker with access to the affected functionality could potentially gain unauthorized access to all project management data including user credentials, project details, work package histories, and system configurations. The vulnerability affects the core baseline comparison functionality that many organizations rely upon for audit trails and historical reporting, making it a particularly attractive target for threat actors seeking persistent access to organizational project data. Additionally, the nature of sql injection vulnerabilities in database interfaces often allows for privilege escalation attacks that could enable attackers to gain administrative access to the underlying database system itself.
Organizations utilizing OpenProject versions prior to 17.3.3 and 17.4.1 should prioritize immediate remediation through patching or upgrading their installations to address this vulnerability. The fix implemented in these versions includes proper input validation, parameterized query construction, and enhanced sanitization of timestamp parameters to prevent malicious sql code execution. Security teams should conduct comprehensive vulnerability assessments to identify any potential exploitation attempts that may have occurred prior to patch deployment, while also implementing monitoring controls around the affected baseline comparison functionality. This vulnerability aligns with common weakness enumeration cwE-89 which specifically addresses sql injection flaws, and represents a typical example of how web application features can inadvertently create security exposure points when proper input validation is not implemented.
The remediation process should include thorough testing of the patched versions to ensure that legitimate timestamp functionality remains intact while malicious inputs are properly rejected. Organizations should also consider implementing additional security controls such as web application firewalls and database activity monitoring to provide defense-in-depth protection against similar vulnerabilities. Regular security assessments and code reviews focusing on sql injection prevention techniques should be implemented to reduce the risk of similar issues in other application components, particularly those handling user-supplied data within database operations. The incident underscores the importance of maintaining current software versions and implementing proper input validation practices across all web applications that interact with database systems, as sql injection vulnerabilities continue to represent one of the most prevalent and dangerous threats in web application security landscapes.