{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22601", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.533Z", "datePublished": "2026-01-10T01:06:05.430Z", "dateUpdated": "2026-01-12T19:16:44.111Z"}, "containers": {"cna": {"title": "OpenProject is Vulnerable to Code Execution in E-Mail function", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc"}, {"name": "https://github.com/opf/openproject/releases/tag/v16.6.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/releases/tag/v16.6.2"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": "< 16.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:06:05.430Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2."}], "source": {"advisory": "GHSA-9vrv-7h26-c7jc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T19:16:35.525298Z", "id": "CVE-2026-22601", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T19:16:44.111Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22601", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-12T19:16:35.525298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T19:16:41.351Z"}}], "cna": {"title": "OpenProject is Vulnerable to Code Execution in E-Mail function", "source": {"advisory": "GHSA-9vrv-7h26-c7jc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"status": "affected", "version": "< 16.6.2"}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc", "name": "https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opf/openproject/releases/tag/v16.6.2", "name": "https://github.com/opf/openproject/releases/tag/v16.6.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:06:05.430Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22601", "state": "PUBLISHED", "dateUpdated": "2026-01-12T19:16:44.111Z", "dateReserved": "2026-01-07T21:50:39.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T01:06:05.430Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF8C07E6-1B04-4E9E-A12C-8CB0A17A95D5", "versionEndExcluding": "16.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2."}], "id": "CVE-2026-22601", "lastModified": "2026-01-14T22:26:03.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T02:15:48.913", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opf/openproject/releases/tag/v16.6.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:18:05.349072+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011provided patch, releasing OpenProject\u00a016.6.2, which corrects the input validation flaw for the sendmail path.", "Restrict or disable the ability to send test e\u2011mails to a small group of trusted administrators, or disable the feature entirely until the patch is installed.", "Ensure that the sendmail binary path configuration cannot be altered by external input or that it is validated against a trusted whitelist; if the web UI still allows it, remove that configuration capability until the issue is resolved."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects OpenProject 16.6.1 and older. The issue is tied to the administrative interface that permits configuration of the sendmail binary path and the ability to send test e\u2011mails. No other products or prior versions are cited as vulnerable.", "description_and_impact": "The vulnerability allows a registered administrator to execute arbitrary system commands on the server running OpenProject. It stems from insufficient validation of the sendmail binary path that the application later uses when sending a test e\u2011mail. This introduces a command injection flaw (CWE\u201177) that can lead to full control over the installation, data, and network.", "risk_and_exploitability": "The CVSS score is 8.6, indicating high severity. The EPSS score is below 1\u202f%, pointing to a low but non\u2011zero probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must have authenticated administrative privileges and can inject arbitrary commands once they set the sendmail path and trigger the test e\u2011mail function."}}}}, "created": "2026-01-12T14:36:34.704403+00:00", "updated": "2026-04-18T07:30:36.021884+00:00", "vendors": ["openproject", "openproject$PRODUCT$openproject"]}