OpenProject versions prior to 17.2.3 are vulnerable to a critical SQL injection flaw that could result in total database compromise and data exfiltration.

The "=n" operator in the reporting module fails to parameterize user input before embedding it into SQL WHERE clauses. This allows an attacker to inject malicious SQL commands directly into the application's database queries.

SQL injection is a severe threat that can lead to the unauthorized disclosure of sensitive project data, user credentials, and intellectual property. An attacker could potentially modify or delete database records, leading to data loss and significant operational disruption. The CVSS score of 9.9 reflects the near-total impact on data integrity and confidentiality.

Immediate Action: Upgrade OpenProject to version 17.2.3 or later immediately to implement the necessary parameterization for SQL queries.

Proactive Monitoring: Review database logs for unusual query patterns or syntax errors that may indicate SQL injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious payloads before they reach the application.

Public Exploit Available: No

Organizations hosting OpenProject must apply the 17.2.3 patch without delay. SQL injection remains one of the most dangerous and commonly exploited vulnerability types; securing the database layer is critical to maintaining the security of the entire project management environment.