CVE-2026-32698 Overview
CVE-2026-32698 is an SQL injection vulnerability in OpenProject, an open-source, web-based project management software. The vulnerability exists in the Cost Report generation functionality where custom field names are injected into SQL queries without proper sanitization. When chained with a secondary vulnerability in the Repositories module, this flaw enables attackers to achieve remote code execution on the underlying server.
Critical Impact
Attackers with administrator privileges can execute arbitrary SQL commands during Cost Report generation, and when combined with a path traversal issue in the git repository checkout functionality, inject malicious Ruby code into the application that executes upon restart.
Affected Products
- OpenProject versions prior to 16.6.9
- OpenProject versions prior to 17.0.6
- OpenProject versions 17.1.0 through 17.1.2
- OpenProject version 17.2.0
Discovery Timeline
- 2026-03-18 - CVE-2026-32698 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32698
Vulnerability Analysis
This vulnerability represents a dangerous attack chain that combines SQL injection with path traversal to achieve remote code execution. The primary vulnerability resides in how OpenProject handles custom field names when generating Cost Reports. Custom fields are user-definable data elements in OpenProject that administrators can create to track project-specific information.
When a custom field is used within a Cost Report, the application constructs SQL queries that incorporate the custom field's name directly without proper input sanitization or parameterized queries. This classic SQL injection pattern allows an authenticated administrator to craft a malicious custom field name containing SQL metacharacters that escape the intended query context and execute arbitrary SQL commands against the backend database.
The attack surface is limited because custom fields can only be created by users with full administrator privileges. However, the severity is compounded by a secondary vulnerability in the Repositories module. This module generates filesystem checkout paths for git repositories using the project identifier without proper sanitization. Normally, project identifiers cannot contain special characters like dots or slashes. However, by exploiting the SQL injection vulnerability, an attacker can modify project identifiers directly in the database to include path traversal sequences.
This enables the attacker to checkout a git repository to an arbitrary location on the server's filesystem. If the checkout destination falls within certain paths inside the OpenProject application directory structure, the attacker can place malicious Ruby code that will be executed when the application restarts.
Root Cause
The root cause is improper input validation and a failure to use parameterized SQL queries when incorporating user-controlled custom field names into database queries. The secondary issue stems from trusting that project identifiers will always conform to application-level validation rules without re-validating at the database layer before using them in filesystem operations.
Attack Vector
The attack requires network access and administrative privileges within the OpenProject application. An attacker would first create a custom field with a maliciously crafted name containing SQL injection payloads. When generating a Cost Report that references this custom field, the payload executes against the database. The attacker then uses the SQL injection to modify a project identifier to include path traversal sequences, allowing a git repository checkout to write files to sensitive application directories. Upon application restart, the injected Ruby code executes with the application's privileges.
The vulnerability manifests when Cost Reports are generated with maliciously named custom fields. The SQL query construction fails to properly escape or parameterize the custom field name, allowing the injected SQL to execute in the database context. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-32698
Indicators of Compromise
- Unusual custom field names containing SQL metacharacters such as single quotes, semicolons, or UNION/SELECT keywords
- Database audit logs showing anomalous queries during Cost Report generation
- Modified project identifiers containing path traversal sequences like ../ or absolute paths
- Unexpected files appearing in OpenProject application directories, particularly Ruby files
- Git repository checkouts to non-standard filesystem locations
Detection Strategies
- Implement database query logging and alerting for Cost Report operations to identify SQL injection attempts
- Monitor filesystem integrity within OpenProject installation directories for unauthorized modifications
- Configure Web Application Firewall (WAF) rules to detect SQL injection patterns in administrative requests
- Enable audit logging for all custom field creation and modification events
- Review git repository configurations for suspicious checkout paths
Monitoring Recommendations
- Deploy SentinelOne Singularity to monitor for suspicious process spawning and file system modifications on servers hosting OpenProject
- Implement centralized logging with correlation rules for detecting SQL injection attack patterns
- Configure alerts for application restarts that coincide with recent administrative changes
- Monitor database connections for queries containing unusual patterns or extended execution times
How to Mitigate CVE-2026-32698
Immediate Actions Required
- Upgrade OpenProject to version 16.6.9, 17.0.6, 17.1.3, or 17.2.1 immediately
- Audit all existing custom fields for suspicious names containing SQL metacharacters
- Review database logs for evidence of SQL injection attempts
- Verify git repository checkout paths for all projects are within expected directories
- Inspect OpenProject application directories for any unexpected Ruby files
Patch Information
OpenProject has released patched versions that address this vulnerability. The following versions contain the security fix:
- OpenProject 16.6.9 - For users on the 16.6.x branch
- OpenProject 17.0.6 - For users on the 17.0.x branch
- OpenProject 17.1.3 - For users on the 17.1.x branch
- OpenProject 17.2.1 - For users on the 17.2.x branch
For complete patch details, refer to the OpenProject Security Advisory on GitHub.
Workarounds
- Restrict administrator access to only trusted personnel until patching is complete
- Implement network segmentation to limit access to the OpenProject administrative interface
- Deploy a Web Application Firewall with SQL injection detection rules in front of OpenProject
- Disable the Cost Reports feature if not required for business operations
- Monitor and restrict filesystem write permissions for the OpenProject application process
# Example: Restrict access to OpenProject admin interface via nginx
location /admin {
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
