Description

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the <Snapshot> value in markup.bcf is manipulated to contain an absolute or traversal local path (for example: /etc/passwd or ../../../../etc/passwd). During import, this untrusted <Snapshot> value is used as file.path during attachment processing. As a result, local filesystem content can be read outside the intended ZIP scope. This results in an Arbitrary File Read (AFR) within the read permissions of the OpenProject application user. This vulnerability is fixed in 17.2.0.

INFO

Published Date :

2026-03-11T15:59:11.145Z

Last Modified :

2026-03-11T17:18:50.762Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30234 vulnerability.

Vendors Products
Openproject
  • Openproject
Opf
  • Openproject
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30234.

URL Resource
https://github.com/opf/openproject/security/advisories/GHSA-q8c5-vpmm-xrxv cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact