OpenProject 16.6.4

Release date: 2026-01-08

We released OpenProject OpenProject 16.6.4.

The release contains security relevant bug fixes and we strongly urge updating to the newest version. Below you will find a complete list of all changes and bug fixes.

CVE-2026-22600 - Arbitrary File Read via ImageMagick SVG Coder

A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject < 16.6.4 . By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.)

This vulnerability was assigned to the CVE CVE-2026-22605. For more information, please see the GitHub Advisory GHSA-m8f2-cwpq-vvhh).

The vulnerability has been responsibly disclosed through the YesWeHack bounty program for OpenProject by user syndrome_imposter. This bug bounty program is being sponsored by the European Commission.

Bug fixes and changes

• Bugfix: SVG attachments are interpreted as PNG [#70349]