CVE-2026-25763 Overview
CVE-2026-25763 is a critical command injection vulnerability in OpenProject, an open-source, web-based project management software. The vulnerability exists in OpenProject's repository changes endpoint (/projects/:project_id/repository/changes) when rendering the "latest changes" view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options, enabling arbitrary file write that can escalate to remote code execution.
Critical Impact
Any authenticated user with the :browse_repository permission can exploit this vulnerability to create or overwrite arbitrary files on the server, potentially leading to full system compromise through remote code execution and access to sensitive files like /etc/passwd.
Affected Products
- OpenProject versions prior to 16.6.7
- OpenProject versions prior to 17.0.3
- OpenProject instances with Git repository integration enabled
Discovery Timeline
- 2026-02-06 - CVE CVE-2026-25763 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25763
Vulnerability Analysis
This vulnerability is classified as CWE-78 (OS Command Injection), where improper neutralization of special elements used in an OS command allows attackers to manipulate the underlying git log command execution. The vulnerability can be exploited over the network by any authenticated user who has been granted the :browse_repository permission on a project with a connected Git repository.
The attack requires low complexity with no user interaction needed. When successfully exploited, an attacker gains the ability to write arbitrary files to any location writable by the OpenProject process user. This file write primitive can be escalated to remote code execution by crafting malicious git commits containing shell script content, which when written to strategic locations (such as cron directories or web-accessible paths), enables full system compromise.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and sanitization of the rev parameter in the repository changes endpoint. When processing requests to /projects/:project_id/repository/changes, OpenProject passes the user-supplied rev parameter directly to the git log command without properly sanitizing or validating that it contains only legitimate revision identifiers.
Git's command-line interface interprets arguments starting with -- as options rather than revision specifiers. This allows an attacker to inject arbitrary git log options such as --output=, which instructs git to write its output to a specified file path instead of returning it to the application.
Attack Vector
The attack vector exploits the network-accessible repository changes endpoint. An attacker with valid credentials and :browse_repository permission can craft a malicious HTTP request targeting the vulnerable endpoint:
- The attacker sends a request to /projects/:project_id/repository/changes with a crafted rev parameter containing git command-line options (e.g., --output=/tmp/poc.txt)
- OpenProject constructs and executes a git log command incorporating the malicious rev value
- Git interprets the injected --output flag and writes the log output to the attacker-specified path
- To achieve RCE, the attacker can create specially crafted git commits with shell script content in commit messages or file contents
- When the git log output containing this malicious content is written to an executable location (such as /etc/cron.d/ or a web-accessible directory), the attacker gains code execution
- This can be leveraged to establish a reverse shell, providing full access to the target host and confidential files outside of OpenProject
Detection Methods for CVE-2026-25763
Indicators of Compromise
- Unusual HTTP requests to /projects/*/repository/changes endpoints containing --output= or other git command-line flags in the rev parameter
- Unexpected file creation or modification by the OpenProject process user in system directories
- New or modified files in cron directories, web roots, or other sensitive locations created by the web application user
- Reverse shell connections originating from the OpenProject server process
Detection Strategies
- Monitor web application logs for requests to repository endpoints containing suspicious patterns like --output, --format, or other git options in URL parameters
- Implement file integrity monitoring on critical system directories to detect unauthorized file creation or modification
- Deploy network monitoring to detect outbound connections from the OpenProject server to unexpected destinations, which may indicate reverse shell activity
- Review authentication logs for users with :browse_repository permissions accessing repository endpoints with unusual request patterns
Monitoring Recommendations
- Enable verbose logging for the OpenProject application to capture full request details including query parameters
- Implement alerting on git process executions with unusual command-line arguments
- Monitor system process trees for child processes spawned from the OpenProject application that exhibit shell-like behavior
- Set up file creation alerts for directories commonly targeted in webshell attacks
How to Mitigate CVE-2026-25763
Immediate Actions Required
- Upgrade OpenProject to version 16.6.7 or 17.0.3 immediately to address this vulnerability
- Audit user permissions to ensure only trusted users have the :browse_repository permission
- Review recent activity logs for signs of exploitation attempts on repository endpoints
- If unable to patch immediately, consider temporarily disabling Git repository integration or restricting access to the repository changes endpoint
Patch Information
OpenProject has released patched versions that address this vulnerability:
- OpenProject v16.6.7 - Security patch for the 16.x branch
- OpenProject v17.0.3 - Security patch for the 17.x branch
For detailed information about this vulnerability, refer to the GitHub Security Advisory GHSA-x37c-hcg5-r5m7.
Workarounds
- Restrict the :browse_repository permission to only highly trusted users until the patch can be applied
- Implement web application firewall rules to block requests containing git command-line options (patterns like --output, --format, --exec) in URL parameters
- Consider temporarily disabling external Git repository integration if not critical to operations
- Apply file system restrictions to limit the directories writable by the OpenProject process user
# Example: Restrict OpenProject process user's write permissions
# Review and limit write access for the openproject user
sudo find /var -type d -user openproject -writable 2>/dev/null
# Remove unnecessary write permissions to sensitive directories
sudo chmod o-w /etc/cron.d /etc/cron.daily /var/www
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
