OpenProject, an open-source web-based project management tool, suffered from a critical OS command injection vulnerability (CVE-2026-25763) affecting versions before 16.6.7 and 17.0.3. The flaw exists in the repository changes endpoint (/projects/:project_id/repository/changes) when rendering the 'latest changes' view using the git log command. Specifically, the 'rev' parameter is not properly sanitized, allowing an attacker to inject arbitrary git log command-line options. For example, by supplying 'rev=--output=/tmp/poc.txt', an attacker can direct git log to write output to an arbitrary file path. Since the OpenProject process user has write permissions to certain paths, this leads to an arbitrary file write vulnerability. By crafting git commits with malicious content, the attacker can upload shell scripts, enabling remote code execution (RCE). This RCE allows attackers to spawn reverse shells and access sensitive files such as /etc/passwd, compromising confidentiality and system integrity. Exploitation requires authenticated users with the 'browse_repository' permission but no further user interaction. The vulnerability was assigned a CVSS 4.0 score of 9.4, indicating critical severity due to network exploitability, no required user interaction, and high impact on confidentiality, integrity, and availability. The issue was patched in OpenProject versions 16.6.7 and 17.0.3.

European organizations using vulnerable OpenProject versions face significant risks including unauthorized remote code execution, data exfiltration, and potential full system compromise. Attackers with limited repository browsing permissions can escalate privileges by injecting malicious commands, leading to reverse shells and access to sensitive files beyond the application scope. This threatens confidentiality of project data and underlying system files, integrity of the project management environment, and availability if attackers disrupt services or deploy ransomware. Given OpenProject's use in collaborative and project-critical environments, exploitation could disrupt workflows, leak intellectual property, and damage organizational reputation. The vulnerability's network accessibility and lack of user interaction requirement increase the likelihood of exploitation in European enterprises relying on OpenProject for project management.

1. Immediately upgrade OpenProject installations to version 16.6.7 or 17.0.3 or later to apply the official patch. 2. Restrict 'browse_repository' permissions to trusted users only, minimizing the attack surface. 3. Implement strict input validation and sanitization on all user-supplied parameters, especially those passed to system commands. 4. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block command injection attempts. 5. Monitor logs for unusual git log command executions or unexpected file writes in repository directories. 6. Use containerization or sandboxing to limit the impact of potential RCE exploits. 7. Conduct regular security audits and penetration tests focusing on repository endpoints. 8. Educate developers and administrators about secure coding practices related to command execution and parameter handling.