On this page
- CVEs
  - CVE-2026-22605 - Insecure Direct Object Reference in Meetings
- Bug fixes and changes

OpenProject 16.6.3

Release date: 2025-12-11

We released OpenProject OpenProject 16.6.3. The release contains security relevant bug fixes and we strongly urge updating to the newest version. Below you will find a complete list of all changes and bug fixes.

CVEs

CVE-2026-22605 - Insecure Direct Object Reference in Meetings

OpenProject versions <= 16.6.2 allows users with the View Meetings permission on any project, to access meeting agenda and section titles, notes, and text outcomes of meetings that belonged to projects, the user does not have access to. Linked work packages to projects the user is not allowed to see, are not affected.

This vulnerability was assigned to the CVE CVE-2026-22605. For more information, please see the GitHub Advisory GHSA-fq4m-pxvm-8x2j.

This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

Bug fixes and changes

Bugfix: Shared WP inaccessible to non-project members (Error 404) #68852 [#68921]
Bugfix: User not fully deleted if that user created a recurring meeting [#69517]
Bugfix: No message when using "forgot password" with unknown email [#69730]

Help and feedback

Look up project management terms in our dictionary

If you need help from the community or want to support others

Post on OpenProject forum

If you are eligible for professional support and have more questions

Request support

If you find an easily fixable error or need for improvement in the documentation

If you would like to suggest bigger updates or improvements to this documentation

Create an issue

If you want to contribute to translate this documentation to another language

Translate on crowdin

If there’s something you don’t like or understand about this feature

Create an issue

If you want to propose a new feature that OpenProject does not offer yet

Submit feature proposal

To further help OpenProject to shape and test new features

Join beta testing

To view OpenProject Enterprise add-ons and pricing

View pricing page

If you want to try all Enterprise add-ons in the OpenProject Enterprise cloud 14 days for free

Free trial OpenProject Enterprise cloud

If you want to try all Enterprise add-ons in your on premise Community installation 14 days for free

Free trial OpenProject Enterprise on premises

JavaScript deactivated. Many features of this site do not work without JavaScript. More information

Search area:

Most popular topics