{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34717", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.753Z", "datePublished": "2026-04-02T17:59:55.742Z", "dateUpdated": "2026-04-02T17:59:55.742Z"}, "containers": {"cna": {"title": "OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364"}, {"name": "https://github.com/opf/openproject/releases/tag/v17.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/releases/tag/v17.2.3"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": "< 17.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:59:55.742Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3."}], "source": {"advisory": "GHSA-5rrm-6qmq-2364", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3."}], "id": "CVE-2026-34717", "lastModified": "2026-04-02T18:16:33.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:33.083", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/opf/openproject/releases/tag/v17.2.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,17.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openproject", "source": "cna", "vendor": "opf"}, "product": "openproject", "vendor": "opf"}], "analysis": {"en": {"generated_at": "2026-04-02T22:53:36.143946+00:00", "value": {"mitigation_remediation": ["Apply the official OpenProject patch to version 17.2.3 or later", "Disable or restrict access to the cost\u2011reporting interface until the upgrade is complete", "Verify that no other components consume unsanitized input in similar patterns", "Monitor database logs for unusual query activity after deployment"], "summary": {"action": "Immediate Patch", "impact": "Data Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "Any OpenProject installation running a version older than 17.2.3 is susceptible. The security team has released a patch in release 17.2.3 that eliminates the vulnerable code. Administrators should verify the current version and upgrade promptly; no later versions are known to retain the flaw.", "description_and_impact": "The vulnerability resides in OpenProject\u2019s cost reporting module. The =n operator in modules/reporting/lib/report/operator.rb embeds user\u2011supplied text directly into SQL WHERE clauses without parameterization, creating a classic SQL injection flaw (CWE\u201189). An attacker who controls this input could inject arbitrary SQL, potentially reading, modifying, or deleting sensitive project data or even executing privileged database commands, thereby compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The flaw is scored as CVSS 9.9, indicating a high\u2011severity risk. EPSS information is not provided, and the issue is not yet listed in CISA\u2019s Known Exploited Vulnerabilities catalog, suggesting limited evidence of active exploitation. The likely attack vector is remote, via the web interface, and the cost\u2011reporting functionality may be accessible without authentication, making the condition for exploitation straightforward. Once an attacker supplies crafted input to the =n operator, they can manipulate the database query to achieve the outcomes described above."}}}}, "created": "2026-04-03T07:32:06.313480+00:00", "updated": "2026-04-03T09:17:07.078859+00:00", "vendors": ["opf", "opf$PRODUCT$openproject"]}