CVE-2026-22600: Silent Data Leak Through OpenProject PDF Export – When SVGs Turn Reports into File Disclosure Weapons

Aegiron 8 mins0

Vulnerability Name: OpenProject PDF Export SVG/ImageMagick Local File Read (LFR)
CVE ID: CVE-2026-22600
Affected Product: OpenProject (PDF export functionality)
Component: SVG rendering via ImageMagick during PDF export
Vulnerability Type: Local File Read (Sensitive File Disclosure)
Attack Vector: Remote
Authentication Required: Yes (valid OpenProject user with PDF export access)
User Interaction: Required (triggering PDF export)

Severity & Risk Overview

  • CVSS v3.1 Score: 8.1 (High)
  • Severity: High
  • Exploitability: Medium
  • Impact: High (confidentiality impact)
  • Exploit Availability:
    • No widely published public exploit at the time of writing
    • Practical exploitation is feasible with low complexity once access is obtained

This vulnerability allows an authenticated attacker to read sensitive files from the OpenProject server’s filesystem by abusing how SVG files are processed during PDF export.

Executive Summary

OpenProject allows users to export work packages and other content as PDFs. Behind the scenes, this feature converts SVG images into PDFs using ImageMagick. Due to insufficient restrictions, a malicious user can sneak special instructions into an SVG image.

When the PDF is generated, the server may unknowingly read files from its own system—such as password files or application secrets—and embed their contents into the exported PDF. The attacker can then download the PDF and see data that should never be exposed.

In short: a normal user can trick the server into leaking its own files.

Root Cause

  • OpenProject relies on ImageMagick to process SVG content during PDF export.
  • SVG supports external resource references (for example, file:// URIs).
  • ImageMagick, if not strictly sandboxed, will attempt to resolve these references.
  • OpenProject does not sufficiently sanitize or restrict SVG input before passing it to ImageMagick.

How the Vulnerability Can Be Exploited

  1. The attacker uploads or injects a crafted SVG image into a project field, description, or attachment that supports rendering.
  2. The SVG contains a reference to a local file on the server.
  3. The attacker triggers the PDF export feature.
  4. During export:
    • ImageMagick processes the SVG.
    • The referenced local file is read.
    • File contents are embedded into the generated PDF.
  5. The attacker downloads the PDF and extracts the sensitive data.

Example Malicious SVG Payload (Educational)

<svg xmlns="http://www.w3.org/2000/svg" width="500" height="200">
  <image href="file:///etc/passwd" x="0" y="0" height="200" width="500"/>
</svg>

On Linux-based systems, this could expose:

  • /etc/passwd
  • /etc/shadow (if permissions allow)
  • Application secrets
  • Environment configuration files

On Windows:

  • C:\Windows\win.ini
  • Application config files

Impact

What an Attacker Can Access

  • System user information
  • Application secrets and API keys
  • Database credentials
  • Internal configuration files
  • Potentially source code files

What an Attacker Cannot Do

  • Directly modify files
  • Execute arbitrary commands (this is not RCE)
  • Bypass authentication entirely

However, leaked credentials may later be used for deeper compromise.

MITRE ATT&CK Mapping

  • TA0006 – Credential Access
    • T1552: Unsecured Credentials (configuration files)
  • TA0007 – Discovery
    • T1083: File and Directory Discovery
  • TA0009 – Collection
    • T1005: Data from Local System

Detection & Monitoring

How This Attack Can Be Detected

Application Logs

Look for:

  • PDF export events initiated by unusual users
  • Repeated PDF exports in short time frames
  • Export actions immediately following SVG uploads or edits

ImageMagick / System Logs

  • File access attempts to sensitive paths during PDF generation
  • Unexpected reads of system files by the OpenProject process

Sample Detection Patterns

Indicators in SVG Content

  • Presence of file:// URIs
  • References to absolute paths
  • Suspicious SVG tags such as <image>, <use>, or <feImage>

Detection Rule

IF svg_content CONTAINS "file:///"
AND action = "pdf_export"
THEN alert "Possible SVG LFR attempt"

Recommended Log Sources

  • OpenProject application logs
  • Web server access logs
  • ImageMagick execution logs (if enabled)
  • Host-based file access monitoring (EDR / auditd)

Proof of Concept (PoC)

  • No official public PoC published at this time.
  • Internal testing confirms exploitation using crafted SVG payloads.
  • Exploitation does not require special tooling beyond basic SVG editing.

Mitigation & Remediation

Official Fix (Recommended)

Upgrade OpenProject to the patched version provided by the vendor.

Official Patch Link:
https://www.openproject.org/security/

(The patched release restricts SVG handling and enforces safer ImageMagick policies.)

Additional Hardening

  • Disable SVG rendering where not strictly required
  • Enforce ImageMagick policy.xml restrictions:
    • Disable file, http, and https coders for SVG
  • Run OpenProject with minimal filesystem permissions
  • Isolate PDF generation in a restricted container or sandbox

Final Takeaway

This vulnerability is dangerous not because it is flashy, but because it is quiet. No crashes, no alerts—just sensitive data slowly leaking out through exported PDFs. Organizations using OpenProject should treat this issue seriously, especially if the platform is exposed to multiple users or external collaborators.

Applying the official patch is strongly advised, followed by a review of historical PDF exports for potential data exposure.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.