← Back
2026-02-06 22:10CVE-2026-25763GitHub_M
PUBLISHED5.2CWE-78

Command Injection on OpenProject repositories leads to Remote Code Execution

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3.

Problem type

Affected products

opf

openproject

< 16.6.7 - AFFECTED

< 17.0.3 - AFFECTED

References

https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7

https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7

x_refsource_CONFIRM
https://github.com/opf/openproject/releases/tag/v16.6.7

https://github.com/opf/openproject/releases/tag/v16.6.7

x_refsource_MISC
https://github.com/opf/openproject/releases/tag/v17.0.3

https://github.com/opf/openproject/releases/tag/v17.0.3

x_refsource_MISC

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-25763
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-25763",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-02-06T22:10:13.323Z",
    "dateReserved": "2026-02-05T18:35:52.358Z",
    "datePublished": "2026-02-06T22:10:13.323Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-02-06T22:10:13.323Z"
      },
      "title": "Command Injection on OpenProject repositories leads to Remote Code Execution",
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3."
        }
      ],
      "affected": [
        {
          "vendor": "opf",
          "product": "openproject",
          "versions": [
            {
              "version": "< 16.6.7",
              "status": "affected"
            },
            {
              "version": "< 17.0.3",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7",
          "name": "https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/opf/openproject/releases/tag/v16.6.7",
          "name": "https://github.com/opf/openproject/releases/tag/v16.6.7",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/opf/openproject/releases/tag/v17.0.3",
          "name": "https://github.com/opf/openproject/releases/tag/v17.0.3",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}