CVE-2026-22600 is a critical vulnerability in OpenProject, an open-source web-based project management software, affecting versions prior to 16.6.4. The flaw resides in the work package PDF export functionality, where the backend uses ImageMagick to process images attached to work packages. An attacker with permission to upload attachments can craft a malicious SVG file disguised as a PNG. When the work package is exported to PDF, ImageMagick attempts to resize the image and processes the embedded 'text:' coder, which can be manipulated to read arbitrary local files on the server. This Local File Read (LFR) vulnerability allows exposure of sensitive files such as /etc/passwd, project configuration files, and private project data accessible by the application user. Exploitation requires the attacker to have upload permissions but does not require user interaction beyond that. The vulnerability has a CVSS v3.1 score of 9.1, reflecting network attack vector, low complexity, privileges required, no user interaction, and a scope change with high confidentiality impact, low integrity impact, and low availability impact. No known exploits are reported in the wild yet. The vendor patched the vulnerability in OpenProject version 16.6.4, and manual patching is possible for users unable to upgrade immediately. This vulnerability highlights the risks of unsafe image processing and the importance of strict input validation and permission controls in collaborative software platforms.

For European organizations, this vulnerability poses a significant risk of sensitive information disclosure, including internal project data and system files, which could lead to further attacks such as privilege escalation or lateral movement within networks. Organizations relying on OpenProject for project management, especially in sectors like government, finance, healthcare, and critical infrastructure, may face data breaches impacting confidentiality and compliance with data protection regulations such as GDPR. The ability to read arbitrary files can expose credentials, configuration files, and proprietary information, undermining trust and operational security. Since exploitation requires upload permissions, insider threats or compromised user accounts increase risk. The scope of affected systems includes all OpenProject installations running versions prior to 16.6.4, which may be widespread in European enterprises and public sector entities using open-source project management tools. The critical severity and network exploitability mean attackers can remotely leverage this vulnerability without user interaction, increasing the urgency for mitigation.

1. Immediately upgrade OpenProject installations to version 16.6.4 or later where the vulnerability is patched. 2. If upgrading is not feasible, apply the vendor-provided manual patch to the affected code handling image processing in PDF exports. 3. Restrict upload permissions strictly to trusted users and roles; audit and minimize who can upload attachments to work packages. 4. Implement file type validation and scanning on uploaded files to detect and block malicious SVG or disguised files. 5. Monitor logs for unusual PDF export activities or suspicious file uploads indicative of exploitation attempts. 6. Consider isolating the OpenProject server environment and limiting file system permissions to reduce the impact of any file read attempts. 7. Educate users about the risks of uploading untrusted files and enforce strong access controls. 8. Regularly review and update security policies related to third-party software and open-source components. 9. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect exploitation patterns targeting ImageMagick vulnerabilities.