CVE-2026-24685: OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability i...

Description

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0

9.4/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.32%

23.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-77

Affected Software

Vendor	Product	Versions
Openproject	Openproject	< 16.6.6
Openproject	Openproject	>= 17.0.0, < 17.0.2

References

https://github.com/opf/openproject/security/advisories/GHSA-74p5-9pr3-r6pwVendor Advisory

Timeline

Published: Jan 28, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-24685?

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.

How severe is CVE-2026-24685?

CVE-2026-24685 has a CVSS score of 9.4/10 (CRITICAL severity). The EPSS model estimates a 0.32% probability of exploitation in the next 30 days.

How do I fix CVE-2026-24685?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.