CVE-2026-30234 is a path traversal vulnerability classified under CWE-22 affecting OpenProject, an open-source web-based project management software. The flaw exists in versions prior to 17.2.0 and involves improper validation of the <Snapshot> element within the markup.bcf file of a .bcf archive uploaded during BCF import. Authenticated users with BCF import permissions can craft a .bcf archive where the <Snapshot> value contains absolute or relative path traversal sequences (e.g., /etc/passwd or ../../../../etc/passwd). During the import process, OpenProject uses this untrusted <Snapshot> value as a file path when processing attachments without properly restricting it to the ZIP archive scope. This allows the application to read arbitrary files on the local filesystem with the privileges of the OpenProject application user. The vulnerability does not allow modification or deletion of files, only reading. Exploitation requires the attacker to be an authenticated project member with BCF import rights, but no additional user interaction is needed beyond uploading the crafted archive. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality impact. No known exploits in the wild have been reported as of the publication date. The issue is resolved in OpenProject version 17.2.0 by properly validating and restricting the <Snapshot> path values during import.

This vulnerability allows attackers with authenticated BCF import permissions to read arbitrary files on the server hosting OpenProject, potentially exposing sensitive configuration files, credentials, or other confidential data. The impact is primarily on confidentiality, as integrity and availability are not affected. Organizations using vulnerable versions risk unauthorized disclosure of sensitive internal information, which could facilitate further attacks such as privilege escalation or lateral movement. Since exploitation requires authentication and specific permissions, the risk is limited to insiders or compromised accounts. However, in environments where OpenProject is widely used for project management, this could lead to leakage of intellectual property or personal data. The medium severity rating reflects the balance between the potential data exposure and the exploitation prerequisites. The vulnerability could be leveraged in targeted attacks against organizations relying on OpenProject for collaboration, especially if user accounts are compromised or insider threats exist.

To mitigate this vulnerability, organizations should upgrade OpenProject to version 17.2.0 or later, where the issue is fixed. Until upgrading, restrict BCF import permissions to trusted users only and monitor import activities closely. Implement strict access controls and auditing on OpenProject user roles to minimize the number of users with BCF import rights. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious .bcf archive uploads containing path traversal patterns. Regularly review server file permissions to ensure the OpenProject application user has minimal read access only to necessary directories, limiting the scope of potential data exposure. Conduct internal security awareness training to reduce the risk of credential compromise for users with elevated permissions. Finally, maintain up-to-date backups and incident response plans to quickly address any exploitation attempts.