Home / Vulnerability Intelligence / CVE-2026-32698

CVE-2026-32698 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 19, 2026

OpenProject - SQL Injection & Remote Code Execution

Published: March 18, 2026Updated: March 19, 2026Remote Exploitable

Overview

OpenProject < 16.6.9, 17.0.6, 17.1.3, and 17.2.1 contains an SQL injection caused by improper sanitization of custom field names in Cost Reports, letting administrators execute arbitrary SQL commands and inject Ruby code via project identifier manipulation.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 2.7%(Probability of exploitation in next 30 days)

Impact

Administrators can execute arbitrary SQL commands and inject Ruby code, potentially leading to full system compromise.

Mitigation

Upgrade to versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 or later.

References

https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 19, 2026

🚨 CRITICAL: CVE-2026-32698 in OpenProject (CVSS 9.1) enables SQL injection via admin-created custom fields, leading to potential RCE if chained with repo module bug. Patch to 16.6.9/17.0.6/17.1.3/17.2.1+ now! https://radar.offseq.com/threat/cve-2026-32698-cwe-89-improper-neutralization-of-s-a9afd70e #OffSeq #SQLInjection #OpenProject #InfoSec

View original post

Related Resources

Details

CVE ID: CVE-2026-32698
Severity: Critical
CVSS Score: 9.1
Type: sql_injection
Status: confirmed
EPSS: 2.7%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

2.7%Probability of exploitation in the next 30 days