What is CVE-2026-34717?

CVE-2026-34717 is a critical-severity vulnerability in Opf Openproject, classified under SQL Injection. CVSS score: 9.9/10. Published 2026-04-02.

How severe is CVE-2026-34717?

Critical severity. CVSS v3 base score is 9.9 out of 10.

SQL Injection in Opf Openproject

CVE-2026-34717

OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This…

Vulnerability class: SQL Injection

EPSS: 0.000 (14.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H.

Affected products

Opf Openproject — versions < 17.2.3

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364 (x_refsource_CONFIRM)
https://github.com/opf/openproject/releases/tag/v17.2.3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-34717?: CVE-2026-34717 is a critical-severity vulnerability in Opf Openproject, classified under SQL Injection. CVSS score: 9.9/10. Published 2026-04-02.
How severe is CVE-2026-34717?: Critical severity. CVSS v3 base score is 9.9 out of 10.