External risk intelligence

OpenProject SQL Injection in Timestamps Functionality.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-52785

OpenProject is a web-based project management application designed for collaborative use. In typical real-world deployments, such platforms are commonly hosted as internet-facing web applications to enable access for distributed teams, making the application's interface and its underlying endpoints, including those handling project data, frequently reachable from the public internet.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in OpenProject, a web-based project management tool. This issue, a SQL injection flaw within the timestamps functionality, could allow unauthorized access and modification of project data if exploited. The primary concern is to confirm whether your organization utilizes this software and if it is exposed to potential external threats.

  • SQL injection flaw in project management software.
  • Critical severity; affects data integrity and access.
  • Confirm OpenProject use and external exposure.

Attack Path

How an attacker could exploit the issue

An attacker with basic user privileges could exploit a SQL injection vulnerability in OpenProject's timestamps functionality. By manipulating the timestamps parameter when requesting historic work-package attributes, an attacker could potentially alter database queries, leading to unauthorized data access, modification, or disclosure.

  • Requires authenticated access.
  • Manipulate timestamps parameter for injection.
  • Allows data compromise and unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

A SQL injection vulnerability in OpenProject's timestamps functionality could allow an attacker to manipulate database queries. This could potentially expose sensitive information or disrupt service operations when supported by the advisory.

  • Project data could be exposed.
  • Via crafted timestamp parameters.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

Security teams responsible for OpenProject deployments should prioritize assessing the impact of this SQL injection vulnerability. The first practical move involves identifying all instances of OpenProject within your environment, confirming their network exposure and business criticality, and then locating the accountable owner for each instance to plan remediation based on risk.

  • Ownership: Application owners and security teams.
  • Verify first: Identify all OpenProject instances.
  • Action: Plan risk-based remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenProject?

OpenProject is an open-source, web-based platform designed for team collaboration and project management. It provides tools for teams to plan tasks, track progress, and manage work packages. It is frequently deployed to handle project workflows across distributed teams.

What does SQL injection mean for CVE-2026-52785?

This CVE involves CWE-89, a weakness where user-supplied input is not properly cleaned before being processed by a database. In this case, the application's timestamps functionality allows an attacker to inject malicious code into database queries, potentially leading to unauthorized access, modification, or disclosure of project data.

How can an attacker trigger this vulnerability?

An attacker triggers this by manipulating the timestamps parameter when requesting historic work-package attributes. Because the bug resides within this specific data-fetching process, it is not triggered by standard navigation or general interactions that do not involve requesting historic attributes.

Is my instance at risk?

According to Halo Surface Signal, because OpenProject is typically hosted as an internet-facing application to support remote collaboration, your instance is likely reachable from the public internet. If it is accessible externally, the risk is higher than for instances restricted to a private internal network.

What should I do to secure my OpenProject instance?

You should immediately identify all running instances of OpenProject in your environment and determine who owns them. Once located, verify the version in use and plan to update to version 17.3.3 or 17.4.1, which contain the fix for this vulnerability.

References