CVE-2026-24685

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24685
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24685.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24685
Aliases
  • GHSA-74p5-9pr3-r6pw
Published
2026-01-28T16:47:22.850Z
Modified
2026-03-01T02:57:26.473705Z
Severity
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
OpenProject has Argument Injection on Repository module that allows Arbitrary File Write
Details

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (/projects/:project_id/repository/diff.diff) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-77"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24685.json"
}
References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type
GIT
Repo
https://github.com/opf/openproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
319164a4d93247e42c5e6e0e470516f7775ad928
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "16.6.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/opf/openproject
Events
Introduced
acbb059c8820da8236cee1f43dc0796d83836259
Fixed
87a8cdc7632de8ab06475ba373fd354e0be30e2a
Database specific 
{
    "versions": [
        {
            "introduced": "17.0.0"
        },
        {
            "fixed": "17.0.2"
        }
    ]
}

Affected versions

11.*
11.2.1
2.*
2.4.0
release/3.*
release/3.0.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.0.3
v11.0.4
v11.1.0
v11.1.1
v11.1.2
v11.1.3
v11.1.4
v11.2.0
v11.2.1
v11.2.2
v11.2.3
v11.2.4
v16.*
v16.0.0
v16.0.1
v16.1.0
v16.1.1
v16.2.0
v16.2.1
v16.2.2
v16.3.0
v16.3.1
v16.3.2
v16.4.0
v16.4.1
v16.5.0
v16.5.1
v16.6.0
v16.6.1
v16.6.2
v16.6.3
v16.6.4
v16.6.5
v17.*
v17.0.0
v17.0.1
v3.*
v3.0.0
v3.0.1
v3.0.11
v3.0.12
v3.0.13
v3.0.8
v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-beta
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v9.*
v9.0.0-pre
v9.0.2-pre

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24685.json"