CVE-2026-22600 Overview
CVE-2026-22600 is a Local File Read (LFR) vulnerability affecting OpenProject, an open-source, web-based project management software. The vulnerability exists in the work package PDF export functionality and can be exploited through specially crafted SVG files disguised as PNG images. When these malicious attachments are processed during PDF export, they trigger ImageMagick's text coder, allowing attackers to read arbitrary local files accessible to the application user.
Critical Impact
Attackers with attachment upload permissions can read sensitive system files including /etc/passwd, project configuration files, and private project data through exploitation of the ImageMagick image processing backend.
Affected Products
- OpenProject versions prior to 16.6.4
- OpenProject installations using ImageMagick for image processing
- OpenProject deployments with work package PDF export functionality enabled
Discovery Timeline
- 2026-01-10 - CVE CVE-2026-22600 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22600
Vulnerability Analysis
This vulnerability exploits a weakness in OpenProject's handling of uploaded image attachments during PDF export operations. The attack chain begins when a user uploads a specially crafted SVG file with a PNG extension to a work package. OpenProject's backend relies on ImageMagick for image processing tasks, including resizing attachments for PDF generation.
When the work package containing the malicious attachment is exported to PDF, ImageMagick attempts to process and resize the image. The crafted SVG payload triggers ImageMagick's text: coder, which is designed to read text files and embed their contents. This behavior is exploited to read arbitrary files from the server's filesystem that the application user has permissions to access.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as it enables unauthorized access to confidential data through improper handling of user-supplied content.
Root Cause
The root cause of this vulnerability lies in insufficient validation of uploaded file content. While OpenProject may check file extensions, the actual content type is not properly verified before being passed to ImageMagick for processing. ImageMagick's text: coder feature, when triggered by the malicious SVG payload, interprets file paths within the SVG and reads their contents, embedding them in the processed output.
This represents a classic case of inadequate input validation combined with unsafe delegation to an image processing library that has known security-sensitive features. The lack of proper ImageMagick policy restrictions to disable dangerous coders exacerbates the issue.
Attack Vector
The attack requires an authenticated user with permissions to upload attachments to containers that support PDF export (such as work packages). The attacker uploads a malicious SVG file disguised with a .png extension. This file contains payload directives that reference local file paths using ImageMagick's text: pseudo-protocol.
When any user (including the attacker) triggers a PDF export of the work package, the backend processes all attachments. During the resize operation, ImageMagick parses the SVG content and executes the embedded file read instructions. The contents of targeted files (e.g., /etc/passwd, configuration files, or sensitive project data) are then included in the processing output or can be exfiltrated through error messages or the resulting PDF.
The attack can be performed remotely over the network by any authenticated user with the requisite upload permissions. No user interaction beyond the initial PDF export trigger is required.
Detection Methods for CVE-2026-22600
Indicators of Compromise
- Presence of SVG files with non-SVG extensions (e.g., .png, .jpg) in work package attachments
- Unexpected file access patterns in application logs targeting sensitive files like /etc/passwd or configuration directories
- ImageMagick error logs containing references to the text: coder or file path inclusions
- Unusual PDF export requests, especially batch exports of work packages with recently uploaded attachments
Detection Strategies
- Implement file content inspection for uploaded attachments to detect SVG content regardless of file extension
- Monitor ImageMagick processing logs for invocations of potentially dangerous coders (text:, url:, label:)
- Review access logs for patterns of PDF export followed by immediate download of the same work packages
- Deploy web application firewall (WAF) rules to detect SVG-based file inclusion patterns in uploads
Monitoring Recommendations
- Enable verbose logging for the OpenProject attachment processing pipeline
- Configure alerts for ImageMagick coder warnings or errors during PDF generation
- Monitor filesystem access patterns of the OpenProject application user for reads of sensitive system files
- Implement audit logging for all PDF export operations with correlation to recent attachment uploads
How to Mitigate CVE-2026-22600
Immediate Actions Required
- Upgrade OpenProject to version 16.6.4 or later immediately
- Review recently uploaded attachments for suspicious files, particularly those with image extensions but SVG content
- Audit PDF export logs for any signs of prior exploitation
- Restrict attachment upload permissions to trusted users until patching is complete
Patch Information
The vulnerability has been patched in OpenProject version 16.6.4. Organizations should upgrade to this version or later to remediate the issue. The patch addresses the improper handling of SVG files during ImageMagick processing.
For detailed patch information, refer to the GitHub Release Notes v16.6.4 and the GitHub Security Advisory GHSA-m8f2-cwpq-vvhh.
Organizations unable to upgrade immediately may apply the patch manually as referenced in the security advisory.
Workarounds
- Disable the PDF export functionality for work packages until the patch can be applied
- Implement strict ImageMagick policy configurations to disable the text:, url:, and label: coders
- Configure file upload validation to reject files where content type does not match the declared extension
- Restrict work package attachment upload permissions to administrative or highly trusted users only
# ImageMagick policy configuration to disable dangerous coders
# Add to /etc/ImageMagick-6/policy.xml or /etc/ImageMagick-7/policy.xml
# Disable text coder to prevent file read attacks
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="LABEL" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
