Executive Summary
CVE-2026-41462 is a critical unauthenticated SQL injection vulnerability affecting ProjeQtor, a widely used open-source project management platform. The flaw exists in the login functionality: the login variable (username field) is directly concatenated into a SQL query without parameterization or sanitization, allowing an attacker to inject arbitrary SQL expressions.
With a CVSS score of 9.8, the vulnerability requires no prior authentication and can be exploited remotely with minimal effort. All ProjeQtor instances running versions 7.0 through 12.4.3 are affected. Organizations using ProjeQtor should apply the vendor patch immediately or implement interim mitigations.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-41462 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-89 — Improper Neutralization of Special Elements used in an SQL Command |
| Type | Unauthenticated SQL Injection |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Patch Available | Check upstream for 12.4.4 or later |
| NVD Published | 2026-04-27 |
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| ProjeQtor | 7.0 through 12.4.3 | Upgrade to patched release |
Technical Analysis
What Is ProjeQtor?
ProjeQtor is a free, open-source project management tool offering task tracking, Gantt charts, resource management, time tracking, and reporting. It is used by small businesses, enterprises, and public sector organizations, and can be self-hosted — making the attack surface especially broad.
The Vulnerability
The login form submits a username value to the server-side authentication logic. The server code directly appends this value to a SQL query string without using parameterized queries or prepared statements:
Vulnerable pattern (conceptual):
query = "SELECT * FROM users WHERE login = '" + username_input + "'"An attacker supplying a crafted username value can break out of the string literal and inject arbitrary SQL. This class of vulnerability (CWE-89) is one of the most well-documented and exploitable flaws in web applications.
SQL Injection Capabilities
Through this vulnerability, an attacker can:
| Action | Description |
|---|---|
| Authentication Bypass | Log in as any user including administrators without a password |
| Data Exfiltration | Dump the full database including user credentials, project data, and configurations |
| Credential Harvesting | Extract hashed passwords for offline cracking |
| Schema Enumeration | Map the database structure for further exploitation |
| Data Manipulation | Insert, update, or delete records |
| Blind SQL Injection | Extract data even if results are not directly returned via timing or boolean conditions |
Attack Flow
1. Attacker accesses the ProjeQtor login page (no authentication required)
2. Attacker submits a crafted username containing SQL metacharacters
3. The unsanitized input is interpolated directly into the SQL query
4. The SQL engine executes the injected statement with database user privileges
5. Attacker achieves authentication bypass and/or full database accessImpact Assessment
| Impact Area | Description |
|---|---|
| Authentication Bypass | Log in as any user, including admin accounts, without credentials |
| Full Database Access | Read all project data, user records, configurations, and credentials |
| Credential Exposure | Hashed or plaintext passwords for all ProjeQtor users |
| Data Integrity Loss | Attacker can modify or delete all project management records |
| Project Data Theft | All tasks, milestones, client data, and resource plans may be exfiltrated |
| Regulatory Exposure | Organizations processing personal data face GDPR, PIPEDA, or other obligations upon breach |
Remediation
Step 1: Upgrade ProjeQtor
Check the ProjeQtor releases page for a patched version (12.4.4 or later) and upgrade immediately.
# Back up current installation and database first
mysqldump -u <user> -p projeqtor > projeqtor_backup.sql
# Download and apply the patched release following ProjeQtor's upgrade guideStep 2: Restrict Access to the Login Page
If an immediate upgrade is not possible, limit access to the ProjeQtor web interface via network controls:
# Nginx — restrict access to internal IP ranges
location / {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}Step 3: Enable a Web Application Firewall (WAF)
A WAF with SQL injection detection rules can block exploitation attempts while a patch is being applied:
# ModSecurity with OWASP Core Rule Set (CRS) provides SQLi detection
# Enable CRS rule set in your web server's ModSecurity configurationStep 4: Audit for Prior Exploitation
Check your database and application logs for signs of injection attempts:
# Review web server access logs for suspicious login requests
grep -i "login" /var/log/nginx/access.log | grep -E "('|--|;|UNION|SELECT)"
# Check for unexpected admin accounts in the database
mysql -u <user> -p projeqtor -e "SELECT * FROM t_user WHERE is_admin = 1;"Detection Indicators
| Indicator | Description |
|---|---|
SQL metacharacters in login request logs (', --, ;, UNION) | SQL injection attempt |
| Authentication events with usernames containing special characters | Exploitation attempt |
| Unexpected admin accounts or modified user passwords | Post-exploitation activity |
| Unusual database query volumes or slow queries | Blind SQLi data extraction |
| Unexpected outbound connections from the ProjeQtor host | Data exfiltration |
Post-Remediation Checklist
- Upgrade to a patched ProjeQtor release
- Rotate all ProjeQtor user passwords — assume credentials may have been exfiltrated
- Audit application and database logs for injection attempts during the exposure window
- Review all admin accounts for unauthorized additions
- Restrict ProjeQtor network access to authorized IP ranges
- Enable WAF rules for SQLi detection going forward
- Assess whether any personal data was involved and determine regulatory notification obligations