HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52785Published Modified CNA GitHub_M

CVE-2026-52785: OpenProject: SQL injection in timestamps functionality

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SQL injection in the timestamps functionality of OpenProject, an open-source web-based project management platform. The vulnerability is reachable over the network by any authenticated user with a low-privilege account, and no victim interaction is required. Successful exploitation gives an attacker full read and write access to the underlying database, crossing trust boundaries beyond the originating session. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-52785 is available across every HarborGuard environment - the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built OpenProject images. Coverage applies to any image carrying an affected opf/openproject package version below 17.3.3 or between 17.4.0 and 17.4.1.

Available
Triage

HarborGuard scores this CVE at 9.9 CRITICAL using the CVSS v3.1 vector and weights it further against each customer environment's compliance policy, so high-risk workloads surface at the top of the queue. Findings are routed to the team inbox configured for the affected service within each customer org.

Available
Patch

No upstream fix versions have been published at this time, so HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the OpenProject service over the network; the CVSS vector specifies AV:N, meaning the vulnerable endpoint is exposed to any network-adjacent client.

  • AuthenticationRequired

    A valid account is required, but any low-privilege user account is sufficient; the CVSS vector specifies PR:L, meaning no administrative rights are needed.

  • Victim interactionNot required

    The attacker can exploit this vulnerability without any action from another user; the CVSS vector specifies UI:N.

  • Attack complexityDetail

    The exploit is reliable and condition-free; the CVSS vector specifies AC:L, meaning no race conditions or special environmental factors must align.

Blast Radius

  • Reads arbitrary rows from the database, including work-package records, user credentials, session tokens, and any other data accessible to the database role.
  • Modifies or deletes persisted database rows, allowing an attacker to corrupt project data, escalate privileges, or plant malicious records.
  • The scope of impact crosses the originating application boundary (CVSS S:C), meaning database contents shared by other application components or tenants can also be affected.
  • Availability impact is rated Low, meaning targeted queries can degrade query performance or lock specific rows, causing partial service disruption without a full crash.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical SQL injection is active immediately on ingest, flagging any image that packages an affected version of opf/openproject. Because no upstream fix version exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild as soon as the maintainers publish 17.3.3 or 17.4.1. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point. In the interim, recommended compensating controls include applying network policy to restrict access to the OpenProject service to trusted internal networks only, enabling egress filtering to limit what the application can reach if a payload is executed, and reviewing application-level access controls to ensure the timestamps parameter endpoint is not exposed to untrusted or anonymous users. Where compliance policy permits, setting the affected workload to read-only replica mode can limit write-side blast radius until a patch is available.

See how HarborGuard automates this
Affected packages
  • opf / openproject
    < 17.3.3 · >= 17.4.0, < 17.4.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
References