CVE-2026-24685 is a command injection vulnerability classified under CWE-77 affecting OpenProject, an open-source web-based project management software. The flaw exists in the repository diff download endpoint (/projects/:project_id/repository/diff.diff) when rendering a single revision using the git show command. Specifically, the rev parameter is not properly sanitized, allowing an attacker to inject arbitrary git show command-line options. For example, by supplying rev=--output=/tmp/poc.txt, the attacker can cause git show to write its output to an arbitrary file path. Since OpenProject executes the git show command with the attacker-controlled rev value, this leads to an arbitrary file write vulnerability. Any user with the browse_repository permission on a project can exploit this to create or overwrite files that the OpenProject process user has write access to. The contents written are the git show output, including commit metadata and patch data. Overwriting critical application or configuration files can result in data loss, denial of service, and compromise of system integrity and availability. The vulnerability does not require user interaction or elevated privileges beyond browse_repository permission, making it easier to exploit. The issue affects OpenProject versions prior to 16.6.6 and versions from 17.0.0 up to but not including 17.0.2. The vendor has addressed the vulnerability in OpenProject 16.6.6 and 17.0.2. The CVSS 4.0 score is 9.4, reflecting the critical nature of this vulnerability with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the ease of exploitation and severity warrant immediate attention.

For European organizations using affected OpenProject versions, this vulnerability poses a significant risk. Attackers with browse_repository permissions—which may be granted to internal users or external collaborators—can overwrite arbitrary files on the server hosting OpenProject. This can lead to data loss, corruption of project management data, denial of service by disrupting application functionality, and potential further compromise if critical configuration files are overwritten. The integrity and availability of project management operations could be severely impacted, disrupting business workflows and collaboration. Given OpenProject's use in various industries across Europe, including government, manufacturing, and IT services, the disruption could have wide-reaching operational and reputational consequences. Additionally, the vulnerability could be leveraged as a foothold for lateral movement or privilege escalation if combined with other vulnerabilities or misconfigurations. The lack of required user interaction and the low complexity of exploitation increase the likelihood of attacks, especially in environments where repository browsing permissions are broadly assigned.

1. Immediately upgrade OpenProject installations to version 16.6.6 or 17.0.2 or later, where the vulnerability is patched. 2. Audit and restrict the browse_repository permission to the minimum necessary users, limiting exposure to potential attackers. 3. Implement file system monitoring on servers hosting OpenProject to detect unauthorized file creation or modification, especially in critical directories. 4. Use application-level input validation or web application firewalls (WAFs) to detect and block suspicious parameters in requests to the repository diff endpoint. 5. Regularly review and harden server permissions to ensure the OpenProject process user has minimal write access, reducing the impact of arbitrary file writes. 6. Monitor logs for unusual git show command executions or unexpected file writes. 7. Educate users with repository browsing permissions about the risk and encourage reporting of suspicious activity. 8. Consider network segmentation to isolate OpenProject servers from sensitive systems to limit lateral movement in case of compromise.