CVE-2026-22600 is a critical vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting OpenProject, an open-source web-based project management software. The flaw resides in the work package PDF export functionality prior to version 16.6.4. Specifically, the vulnerability arises from the backend image processing engine, ImageMagick, which is used to resize images during PDF export. An attacker with permission to upload attachments to a container (e.g., a work package) can upload a specially crafted SVG file disguised as a PNG. When the PDF export process triggers ImageMagick's text: coder feature to resize the image, it inadvertently allows the attacker to read arbitrary local files that the application user has access to. This can include sensitive files such as /etc/passwd, project configuration files, and private project data. The attack vector requires the attacker to have at least limited privileges (upload permissions) but does not require user interaction beyond the upload. The vulnerability impacts confidentiality severely, with some impact on integrity and availability due to potential exposure of sensitive data and disruption of normal operations. The issue has been addressed in OpenProject version 16.6.4, and users unable to upgrade can apply manual patches. No known exploits are currently reported in the wild, but the high CVSS score (9.1) indicates a critical risk.

For European organizations, the impact of CVE-2026-22600 is significant due to the potential exposure of sensitive internal data, including project details, configuration files, and system information. This exposure can lead to further attacks such as privilege escalation, lateral movement, or targeted espionage. Organizations in sectors relying heavily on project management tools—such as government agencies, engineering firms, software development companies, and research institutions—may face confidentiality breaches that compromise intellectual property or sensitive operational data. The vulnerability could also undermine trust in collaborative environments and lead to regulatory compliance issues under GDPR if personal or sensitive data is exposed. Additionally, the ability to read arbitrary files may allow attackers to gather information for subsequent attacks, increasing the overall risk posture. The requirement for upload permissions limits the attack surface but does not eliminate risk, especially in environments with many users or third-party collaborators.

European organizations using OpenProject should immediately upgrade to version 16.6.4 or later to remediate this vulnerability. If upgrading is not feasible, applying the official manual patch is essential. Administrators should audit and restrict upload permissions to trusted users only, minimizing the number of accounts that can upload attachments to exportable containers. Implement strict file type validation and scanning on uploaded files to detect and block malicious SVG files disguised as PNGs. Monitoring and logging of PDF export activities and attachment uploads can help detect suspicious behavior. Network segmentation and least privilege principles should be enforced to limit the impact of any successful exploitation. Additionally, organizations should review and harden ImageMagick configurations to disable or restrict the use of potentially dangerous coders like text: coder. Regular security assessments and penetration testing focusing on file upload functionalities can help identify similar risks proactively.