Primary

Context

OpenProject Path Traversal Vulnerability in BCF Import Leads to Arbitrary File Read

Vulnerability

Patched

A path traversal vulnerability allowing arbitrary file read has been identified in OpenProject versions prior to 17.2.0. The issue arises when an authenticated project member with BCF import permissions uploads a manipulated .bcf archive. The <Snapshot> value in markup.bcf can be altered to include an absolute or traversal local path, such as /etc/passwd. During the import process, this untrusted <Snapshot> value is used as file.path in attachment processing, enabling access to local filesystem content outside the intended ZIP scope. This vulnerability allows reading of arbitrary files within the OpenProject application user's permissions.

Impact

Exploitation of this vulnerability allows for arbitrary file read access, enabling an attacker to read sensitive local files within the permissions of the OpenProject application user.

Remediation

Users can upgrade to OpenProject version 17.2.0 or later to address this vulnerability.

Added: Mar 11, 2026, 4:20 PM

Updated: Mar 11, 2026, 4:20 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

3.3

exploitability

5.2

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

3.3

exploitability

5.2

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject Path Traversal Vulnerability in BCF Import Leads to Arbitrary File Read

Vulnerability

Impact

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating