CVE-2026-25763 is an OS command injection vulnerability classified under CWE-78 affecting OpenProject, an open-source web-based project management software. The flaw exists in the repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view using git log. Specifically, the rev parameter is improperly sanitized, allowing an attacker to inject arbitrary git log command-line options such as --output=/tmp/poc.txt. When OpenProject executes the SCM git log command, Git interprets the injected options, enabling the attacker to write output to arbitrary file paths writable by the OpenProject process user. Although the output is git log data, attackers can craft commits to embed shell scripts, effectively enabling remote code execution (RCE). This RCE can be leveraged to establish reverse shells, escalate privileges, and access sensitive files like /etc/passwd outside the application context. Exploitation requires only the browse_repository permission, which is commonly granted in project collaboration settings. The vulnerability affects OpenProject versions before 16.6.7 and 17.0.3, and has been patched in these releases. The CVSS 4.0 score of 9.4 reflects the vulnerability’s critical nature, with network attack vector, low attack complexity, no user interaction, and privileges required but with high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet, but the potential for severe damage is significant.

For European organizations, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of project management environments. OpenProject is widely used in software development, engineering, and collaborative project management across Europe, including in government, education, and private sectors. Successful exploitation could allow attackers to execute arbitrary code on servers, leading to data breaches, unauthorized access to sensitive internal files, and potential lateral movement within networks. The ability to write arbitrary files and execute shell scripts increases the risk of persistent backdoors and ransomware deployment. Organizations relying on OpenProject for critical project workflows could face operational disruptions and reputational damage. The vulnerability’s exploitation could also impact compliance with GDPR and other data protection regulations due to unauthorized data exposure. Given the ease of exploitation and the commonality of the browse_repository permission, the threat is particularly acute for organizations with collaborative development environments and insufficient access controls.

Organizations should immediately upgrade OpenProject installations to versions 16.6.7 or 17.0.3 or later, where the vulnerability is patched. Until upgrades are applied, restrict the browse_repository permission to trusted users only, minimizing the attack surface. Implement strict input validation and sanitization on parameters that interact with system commands, particularly rev or similar inputs. Employ application-layer firewalls or Web Application Firewalls (WAFs) to detect and block suspicious command injection patterns targeting the repository changes endpoint. Monitor logs for unusual git log command executions or unexpected file writes, especially to temporary directories. Conduct regular audits of user permissions and repository access controls to ensure least privilege principles. Isolate OpenProject servers within segmented network zones to limit potential lateral movement. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.