A Local File Read (LFR) vulnerability exists in OpenProject's work package PDF export functionality prior to version 16.6.4. Attackers can exploit the vulnerability by uploading a specially crafted SVG file disguised as a PNG attachment. When exported to PDF, the backend ImageMagick processing engine is triggered, allowing attackers to read arbitrary local files accessible to the application user. This includes sensitive files like /etc/passwd, project configuration files, and private project data. The attack requires permissions to upload attachments to containers that can be exported to PDF. The issue has been patched in version 16.6.4.