CVE-2026-22601 is a command injection vulnerability identified in OpenProject, an open-source web-based project management tool widely used for collaborative project tracking and documentation. The flaw exists in versions 16.6.1 and earlier, where a registered administrator can exploit improper neutralization of special characters in the configuration of the sendmail binary path. By setting a malicious sendmail path and triggering the test email function, the attacker can execute arbitrary system commands on the underlying server. This vulnerability is classified under CWE-77, indicating improper sanitization of command inputs leading to injection attacks. The vulnerability does not require user interaction and can be exploited remotely over the network, provided the attacker has administrator credentials. The CVSS v4.0 score of 8.6 reflects the vulnerability's high impact on confidentiality, integrity, and availability, with a network attack vector, low attack complexity, and no privileges required beyond administrator access. The vulnerability has been addressed in OpenProject version 16.6.2, which properly sanitizes inputs to prevent command injection. No public exploits have been reported yet, but the potential for severe system compromise makes this a critical issue for organizations relying on OpenProject for project management.

For European organizations, this vulnerability poses a significant risk due to the potential for full system compromise via command injection. Attackers gaining administrator access can execute arbitrary commands, potentially leading to data theft, service disruption, or lateral movement within the network. Organizations using OpenProject for sensitive project management, especially in sectors like finance, government, and critical infrastructure, could face confidentiality breaches and operational downtime. The vulnerability could also be leveraged to deploy ransomware or other malware, amplifying the impact. Since OpenProject is often deployed in collaborative environments, exploitation could affect multiple teams and projects simultaneously. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation. European entities with exposed administrative interfaces or weak access controls are particularly vulnerable.

Organizations should immediately upgrade OpenProject installations to version 16.6.2 or later, where the vulnerability is patched. Until patching is complete, restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Network segmentation should be employed to limit access to the OpenProject administrative interface, ideally restricting it to internal networks or VPN connections. Regularly audit and monitor logs for unusual activity related to sendmail configuration changes or test email operations. Employ application-level input validation and sanitization where possible to detect anomalous command inputs. Conduct security awareness training for administrators to recognize and report suspicious behavior. Additionally, consider implementing host-based intrusion detection systems (HIDS) to detect command injection attempts and maintain up-to-date backups to enable recovery in case of compromise.