OpenProject 17.1.2

Release date: 2026-02-26

We released OpenProject OpenProject 17.1.2. The release contains several bug fixes and we recommend updating to the newest version. Below you will find a complete list of all changes and bug fixes.

Security fixes

CVE-2026-27715 - User mentions result in information disclosure of user names

The Work Package Activity comment feature does not properly validate whether a mentioned user is a member of the current project.

By manipulating the data-id attribute of the <mention> element in the comment request, a low-privileged user who has access to a single project can mention arbitrary users within the same organization, even if those users are not members of the project.

The backend accepts the supplied user ID without enforcing project membership checks, resolves the mention, and triggers server-side notification workflows (including email notifications).

This behavior violates the intended access control and project isolation model.

This vulnerability was reported by user slashx0x as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-j4m9-7hff-8qgr

CVE-2026-27716 - Information disclosure on OpenProject through /api/v3/custom_fields/{id}/items

The api implementation for custom_fields lacks any validation that the current user is authorized on any project using the custom_field data. This leaks potentially sensitive, project specific business logic.

This vulnerability was reported by user syndrome_impostor as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-qpg6-635j-wjc2

CVE-2026-27717 - IDOR on OpenProject allows any user to overwrite any sprint/version title

An attacker can overwrite the Sprint/Version titles of any project in the same instance/using the same database.

This vulnerability was reported by user posisec as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-p3hw-5g6p-69f2

CVE-2026-27718 - Stored HTML Injection via MentionFilter Bypass Leads to Credential Harvesting in Email Notifications

A stored HTML injection vulnerability exists in OpenProject's Markdown rendering pipeline. The MentionFilter decodes HTML entities after the SanitizationFilter has already run, allowing an attacker to inject arbitrary HTML into work package comments. This HTML is stored server-side and rendered without sanitization in email notifications sent to all watchers, assignees, and mentioned users, causing confusion about inserted elements.

This vulnerability was reported by user s-sploit-c as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-cxm3-9m5g-9cq4

The vulnerability is an IDOR/authorization flaw in the My Page grid widgets that allows any authenticated user to delete arbitrary queries by ID. The My Page widgets for work packages accept a queryId inside the widget options. This queryId is stored without any permission checks, and when the widget is removed, a server-side after_destroy hook deletes the query referenced by that queryId.

This vulnerability was reported by user Edia_r as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-7xv7-73x4-qqvp

CVE-2026-27720 - IDOR on backlog stories allows leaking of work package subject

The RbStoriesController calls Story.find(params[:id]) without scoping to the current project or visibility.

By causing an update to the Story with a subject longer than 255 characters, the update is rejected, which results in the original title being returned in the HTTP response.

Since user stories are mapped to work packages[1], this allows reading out the title of any work package just by providing the incrementing work package ID.

This vulnerability was reported by user posisec as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-xfmm-g339-3x85

CVE-2026-27721 - Improper Authentication on OpenProject through /oauth/authorize via GET parameter “redirect_uri” when using mobile OAuth app

OpenProject permits the registration of custom URI schemes (e.g., openprojectapp://) for OAuth callbacks without enforcing PKCE (Proof Key for Code Exchange) or validating the exclusivity of the destination application (via Universal Links).

By intercepting this code, an attacker with access to the mobile device can exchange it for an access token (as the client is "Public" and has no secret), effectively hijacking the user's session and gaining full API access to their account

This vulnerability was reported by user wayward as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-w92f-h4wh-g4w4

CVE-2026-27722 - IDOR on OpenProject through /meetings/{meeting_id}/agenda_items/{id}/move_to_section via POST request

There is an Insecure Direct Object Reference (IDOR) in the MeetingAgendaItemsController#move_to_section endpoint. This allows an authenticated user to perform Meeting Agenda Pollution by moving their own agenda items into any meeting section of any other project.

While the initial agenda item is loaded from the authorized meeting context, the controller fails to validate that the target meeting_section_id belongs to the same project or a project where the user has permission.

This vulnerability was reported by user Herdiyan Adam Putra (herdiyanitdev) as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-xw8w-4qxm-g9gv

CVE-2026-27731 - IDOR on OpenProject via PUT /work_packages/[workPackageId]/activities/[activityId]/toggle_reaction allows reader user to read internal comments

A missing permission check on the endpoint to add an emoji reaction to a comment allows an attacker to add an emoji reaction to internal comments, even if they do not have access to internal comments. To correctly display the information in the frontend, the server returns the complete internal comment with the added emoji reaction to the attacker. This allows the attacker by guessing the ID of an internal comment, to access those comments without the permission to see them.

This vulnerability was reported by user tuannq_gg as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-3qgp-q2x5-c4jw

CVE-2026-27733 - Authorization bypass via MCP endpoint

If the MCP server is enabled in the application, users that do not have access to enumerate Status or Types could access those resources without proper permission checks via the MCP server.

This vulnerability was reported by users noidont and syndrome_impostor as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-w9w6-f59w-89vj

CVE-2026-27817 - Missing boundary check allows users with Manage Agenda Items permission in one project to create Agenda Items in Meetings in other projects

When creating meeting agenda items, the code did properly check that the section an agenda item should be put into belongs to the meeting provided in the URL. This lead to a user with the Manage Meeting Agendas permission in one project to be able to add meeting agenda items to every meeting in the instance. Together with the response about the creation of the meeting agenda item, certain meeting details including

Status of the meeting
Creator of the meeting
Date and Time range of the meeting

No other details of the meeting information were exposed.

This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-c76v-8735-35hq

CVE-2026-27827 - Insecure Direct Object Reference in Project Storage Administrition Theft & Pre-Auth Remote Folder Deletion

An unscoped loading of Project Storages lead to users with the Manage Files in Project permission in one project, to access project storages in other projects. This would give information about the storage that they were not supposed to see.

Additionally, for storages with automatic project folder management, when a deletion of the project folder was triggered, the deletion in the file storage was triggered before the permission check was executed. Together with the unscoped loading above, this allowed users with Manage Files in Project permission in one project, to delete automatically managed folders in file storages that they did not have access to.

This vulnerability was reported by user cavid as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-v8cr-7x8f-78mq

Bug fixes and changes

Bugfix: Error when creating a new work package after uploading an attachment to the previous one that was opened in details view [#67980]
Bugfix: Pasting rich text into CKEditor crashes it [#69597]
Bugfix: external_redirect URL always engaged, making copy&pasting links harder [#71946]
Bugfix: Parent project name visible in breadcrumb irrespective of parent access [#71972]
Bugfix: Trying to attach a calendar part when no mail is being generated fails [#72244]
Bugfix: Meetings appear duplicate in the ical subscription after an interim response [#72259]
Bugfix: Can't create automatically managed project folder when project name contains forbidden Nextcloud characters [#72525]

Contributions

A big thanks to our Community members for reporting bugs and helping us identify and provide fixes. This release, special thanks for reporting and finding bugs go to Александр Татаринцев, Slavur Jones.

Hilfe und Feedback

Schlagen Sie Projektmanagement-Fachbegriffe in unserem Wörterbuch nach

Glossar anzeigen

Wenn Sie Hilfe von der Community benötigen oder andere unterstützen möchten

Im OpenProject Forum posten

Wenn Sie für professionellen Support qualifiziert sind und mehr Fragen haben

Unterstützung anfordern

Wenn Sie einen leicht behebbaren Fehler oder eine Verbesserungen in der Dokumentation finden

Diese Seite bearbeiten

Wenn Sie zu dieser Dokumentation ein größere Updates oder Verbesserungen vorschlagen möchten

Ticket erstellen

Wenn Sie dazu beitragen möchten, diese Dokumentation in eine andere Sprache zu übersetzen

Auf Crowdin übersetzen

Wenn es über diese Funktionalität etwas gibt was Ihnen nicht gefällt oder nicht verstehen

Ticket erstellen

Wenn Sie eine neue Funktion vorschlagen möchten die OpenProject noch nicht bietet

Funktionsvorschlag einreichen

Um OpenProject weiter zu helfen, neue Funktionen zu gestalten und zu testen

Am Beta-Test teilnehmen

Um OpenProject Enterprise Add-ons und Preise anzuzeigen

Preise anzeigen

Wenn Sie alle Enterprise Add-ons in der OpenProject Cloud Edition 14 Tage kostenlos ausprobieren möchten

OpenProject Cloud Edition kostenlos testen

Wenn Sie alle Enterprise Add-ons 14 Tage kostenlos ausprobieren möchten in der-Community-Installation

Kostenlose OpenProject Enterprise Edition (Selbstverwaltet)