All Versions
60
Latest Version
Avg Release Cycle
14 days
Latest Release
7 days ago

Changelog History
Page 3

  • v17.0.5 Changes

    February 26, 2026

    πŸš€ Release date: 2026-02-26

    πŸš€ We released OpenProject OpenProject 17.0.5.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    CVE-2026-27715 - User mentions result in information disclosure of user names

    πŸ“¦ The Work Package Activity comment feature does not properly validate whether a mentioned user is a member of the current project.

    By manipulating the data-id attribute of the <mention> element in the comment request, a low-privileged user who has access to a single project can mention arbitrary users within the same organization, even if those users are not members of the project.

    The backend accepts the supplied user ID without enforcing project membership checks, resolves the mention, and triggers server-side notification workflows (including email notifications).

    This behavior violates the intended access control and project isolation model.

    This vulnerability was reported by user slashx0x as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-j4m9-7hff-8qgr

    CVE-2026-27716 - Information disclosure on OpenProject through /api/v3/custom_fields/{id}/items

    The api implementation for custom_fields lacks any validation that the current user is authorized on any project using the custom_field data. This leaks potentially sensitive, project specific business logic.

    This vulnerability was reported by user syndrome_impostor as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-qpg6-635j-wjc2

    πŸ–¨ CVE-2026-27717 - IDOR on OpenProject allows any user to overwrite any sprint/version title

    πŸ–¨ An attacker can overwrite the Sprint/Version titles of any project in the same instance/using the same database.

    This vulnerability was reported by user posisec as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-p3hw-5g6p-69f2

    CVE-2026-27718 - Stored HTML Injection via MentionFilter Bypass Leads to Credential Harvesting in Email Notifications

    πŸ“¦ A stored HTML injection vulnerability exists in OpenProject's Markdown rendering pipeline. The MentionFilter decodes HTML entities after the SanitizationFilter has already run, allowing an attacker to inject arbitrary HTML into work package comments. This HTML is stored server-side and rendered without sanitization in email notifications sent to all watchers, assignees, and mentioned users, causing confusion about inserted elements.

    This vulnerability was reported by user s-sploit-c as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-cxm3-9m5g-9cq4

    CVE-2026-27719 - Authorization flaw in API grids endpoint leads to erase another user widget

    πŸ“¦ The vulnerability is an IDOR/authorization flaw in the My Page grid widgets that allows any authenticated user to delete arbitrary queries by ID. The My Page widgets for work packages accept a queryId inside the widget options. This queryId is stored without any permission checks, and when the widget is removed, a server-side after_destroy hook deletes the query referenced by that queryId.

    This vulnerability was reported by user Edia_r as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-7xv7-73x4-qqvp

    πŸ“¦ CVE-2026-27720 - IDOR on backlog stories allows leaking of work package subject

    The RbStoriesController calls Story.find(params[:id]) without scoping to the current project or visibility.

    ⚑️ By causing an update to the Story with a subject longer than 255 characters, the update is rejected, which results in the original title being returned in the HTTP response.

    πŸ“¦ Since user stories are mapped to work packages[1], this allows reading out the title of any work package just by providing the incrementing work package ID.

    This vulnerability was reported by user posisec as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-xfmm-g339-3x85

    CVE-2026-27721 - Improper Authentication on OpenProject through /oauth/authorize via GET parameter "redirect_uri" when using mobile OAuth app

    OpenProject permits the registration of custom URI schemes (e.g., openprojectapp://) for OAuth callbacks without enforcing PKCE (Proof Key for Code Exchange) or validating the exclusivity of the destination application (via Universal Links).

    By intercepting this code, an attacker with access to the mobile device can exchange it for an access token (as the client is "Public" and has no secret), effectively hijacking the user's session and gaining full API access to their account

    This vulnerability was reported by user wayward as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-w92f-h4wh-g4w4

    CVE-2026-27722 - IDOR on OpenProject through /meetings/{meeting_id}/agenda_items/{id}/move_to_section via POST request

    There is an Insecure Direct Object Reference (IDOR) in the MeetingAgendaItemsController#move_to_section endpoint. This allows an authenticated user to perform Meeting Agenda Pollution by moving their own agenda items into any meeting section of any other project.

    While the initial agenda item is loaded from the authorized meeting context, the controller fails to validate that the target meeting_section_id belongs to the same project or a project where the user has permission.

    This vulnerability was reported by user Herdiyan Adam Putra (herdiyanitdev) as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-xw8w-4qxm-g9gv

    πŸ“¦ CVE-2026-27731 - IDOR on OpenProject via PUT /work_packages/[workPackageId]/activities/[activityId]/toggle_reaction allows reader user to read internal comments

    πŸ‘€ A missing permission check on the endpoint to add an emoji reaction to a comment allows an attacker to add an emoji reaction to internal comments, even if they do not have access to internal comments. To correctly display the information in the frontend, the server returns the complete internal comment with the added emoji reaction to the attacker. This allows the attacker by guessing the ID of an internal comment, to access those comments without the permission to see them.

    This vulnerability was reported by user tuannq_gg as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-3qgp-q2x5-c4jw

    CVE-2026-27733 - Authorization bypass via MCP endpoint

    If the MCP server is enabled in the application, users that do not have access to enumerate Status or Types could access those resources without proper permission checks via the MCP server.

    This vulnerability was reported by users noidont and syndrome_impostor as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-w9w6-f59w-89vj

    CVE-2026-27817 - Missing boundary check allows users with Manage Agenda Items permission in one project to create Agenda Items in Meetings in other projects

    When creating meeting agenda items, the code did properly check that the section an agenda item should be put into belongs to the meeting provided in the URL. This lead to a user with the Manage Meeting Agendas permission in one project to be able to add meeting agenda items to every meeting in the instance. Together with the response about the creation of the meeting agenda item, certain meeting details including

    • Status of the meeting

    • Creator of the meeting

    • Date and Time range of the meeting

    No other details of the meeting information were exposed.

    This vulnerability was reported by user sam91281 as part of the [YesWeHack.com OpenProject...

  • v17.0.4 Changes

    February 18, 2026

    πŸš€ Release date: 2026-02-18

    πŸš€ We released OpenProject OpenProject 17.0.4.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    CVE-2026-26966 - Improper Access Control on OpenProject through /api/v3/queries via POST request allows unauthorized users to create project queries

    A broken access control vulnerability exists in the /api/v3/queries endpoint that allows a normal authenticated user, without sufficient permissions, to create private project queries.

    By reusing a valid request generated by an administrator and replacing the session cookie and CSRF token with those of a low-privileged user, the backend accepts the request and successfully creates the query.

    This action should be restricted to authorized roles only. The issue demonstrates missing or improper authorization checks on query creation.

    This vulnerability was reported by user slashx0x as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-5m66-2gm7-6jcc

    CVE-2026-26968 - Improper Access Control on OpenProject instance through /api/v3/capabilities

    The /api/v3/capabilities endpoint allows unauthorized enumeration of private project names and detailed permissions by specifying the built-in admin user ID as the principal.

    While the API correctly prevents querying the capabilities of other users, the built-in Admin account remains resolvable.

    Since projects use incremental values, and the built-in admin has visibility on all projects, this facilitates mapping of the entire openproject instance.

    This vulnerability was reported by users syndrome_impostor and noidont as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-g62r-9rgf-h53q

    CVE-2026-26969 - HTML Injection on OpenProject instance through project name

    The application is vulnerable to HTML injection due to improper sanitization of user-supplied input for the project name.

    πŸ“¦ An attacker can inject arbitrary HTML tags into the response, altering the structure of the page. and later while creating workpackages payload is executed.

    This vulnerability was reported by user roro1702

     as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-r4v5-h2fp-fhxf

    ⚑️ CVE-2026-26970 - HTML injection on wiki updated mailer

    ⚑️ An HTML injection vulnerability occurs in the wiki updated mailer function of OpenProject  The application does not properly escape HTML tags, an attacker with invitation rights or users themselves when registrations are open can create a user name containing the HTML tags. If they then gain the permission to add or edit wiki pages, their author tag is not properly escaped in emails.

    This vulnerability was reported by user yokokho as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-jrhg-mx22-57rm

    CVE-2026-26971 - IDOR on Hourly Rates Controller allows deletion of Hourly Rates on other projects

    ⚑️ A project-scoped hourly rates update endpoint in the Costs module allows deleting a target user’s hourly rates across all projects by sending a crafted request that omits the user parameter. The request is authorized only against the URL project (:project_id), but the deletion query is not scoped to that project, resulting in cross-project broken access control (horizontal privilege escalation).

    This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-xh2h-jfr6-3qhc

    CVE-2026-26976 - HTML Injection via Email Field in User Registration Leading to Malicious Notification Email to Instance Owner (Admin)

    ⚠ When anonymous registration is enabled, an unauthenticated attacker can submit a malicious payload in the email field during registration attempt (/account/register). Even when the registration fails due to the free plan user limit (10 active users), the system sends a notification email to the instance owner/admin warning that the user limit is reached. This email reflects the malicious email payload unescaped in the body/subject/content, allowing HTML injection.

    This enables phishing, content spoofing, or (in rare cases with permissive email clients) limited XSS-like behavior in the admin's inbox.

    This vulnerability was reported by user pdowski as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-6m5j-mp2j-cgmm

    CVE-2026-27006 - Path Traversal on OpenProject BIM Edition leads to Arbitrary File upload on BCF module, resulting in possible RCE when using file-based caching

    🐳 An authenticated attacker with BCF module access can write arbitrary files to any writable directory on the server through a path traversal vulnerability in the BCF import functionality. For docker-compose based installations, this can be expanded to a remote code execution using cache deserialization.

    This vulnerability was reported by user shafouzzz as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-4fvm-rrc8-mgch

    CVE-2026-27019 - Path Traversal via Incoming Email Attachments Leads to Arbitrary File Write and RCE

    πŸ”§ When OpenProject is configured to accept and handle incoming emails, it was possible that an attacker could send an email with a specially crafted attachment that would be written to a predefined location in the filesystem. All files that can be written by the openproject system user could be written. This could even be evaluated to a Remote Code Execution vulnerability.

    This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-r85w-rv9m-q784

    πŸ› Bug fixes and changes

    • πŸ›  Bugfix: Mime Type detection can be tricked into sending params to the file tool [#72108]
    • πŸ›  Bugfix: Meeting is set to in_progress, when a user without the edit meetings permission starts the presentation [#72195]

  • v17.0.3 Changes

    February 06, 2026

    πŸš€ Release date: 2026-02-06

    πŸš€ We released OpenProject OpenProject 17.0.3.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    πŸ”’ GHSA-q523-c695-h3hp - Stored HTML injection on time tracking

    πŸ“¦ An HTML injection vulnerability occurs in the time tracking function of OpenProject version 17.0.2. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking.

    Responsibly disclosed by Researcher: Nguyen Truong Son (truongson526@gmail.com) through the GitHub advisory.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-q523-c695-h3hp

    πŸ”’ GHSA-x37c-hcg5-r5m7 - Command Injection on OpenProject repositories leads to Remote Code Execution

    βœ… An arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the β€œlatest changes” view via git log.

    🌲 By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path.

    🌲 As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd.

    This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-x37c-hcg5-r5m7

    πŸ› Bug fixes and changes

    • πŸ›  Bugfix: Unable to change to earlier finish date for automatically scheduled successor [#65130]
    • πŸ›  Bugfix: DPA/AVV cannot be downloaded [#67323]
    • πŸ›  Bugfix: hocupocus logs [onAuthenticate] fetch failed and connection to collaboration server not possible [#70542]
    • πŸ›  Bugfix: Wrong sidebar sort order in System Admin Guide -> Authentication [#70914]
    • πŸ›  Bugfix: "form_configuration-status=422" Unable to Change Custom fields in Work Packages without Enterprise Plan [#71093]

    Contributions

    πŸ›  A big thanks to our Community members for reporting bugs and helping us identify and provide fixes.
    πŸš€ This release, special thanks for reporting and finding bugs go to Stefan Weiberg, Christoph Withers.

  • v17.0.2 Changes

    January 27, 2026

    πŸš€ Release date: 2026-01-27

    πŸš€ We released OpenProject OpenProject 17.0.2.
    πŸš€ The release contains sa security fix and several bug fixes and we strongly recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    CVE-2026-24685 - Argument Injection on Repository Diff allows Arbitrary File Write and Remote Code Execution

    An arbitrary file write vulnerability exists in OpenProject’s repository diff download endpoint (/projects/:project_id/repository/diff.diff) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path.

    πŸ“‡ As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability.

    When the user has permissions to write into the repository, they can craft a specific commit to result in a RCE with permission scope of the OpenProject application.

    This vulnerability was responsibly disclosed by sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission. Thank you for your collaboration.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-74p5-9pr3-r6pw

    πŸ”€ CVE-2026-24772 - SSRF and CSWSH in Hocuspocus Synchronization Server

    πŸ”€ To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing.

    πŸ”€ The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf.

    The vulnerability has been responsibly disclosed through the YesWeHack bounty program for OpenProject by Scott Curtis (syndrome_impostor). Thank you for the responsible disclosure and your collaboration in this report!

    πŸ”’ For more information, please see the GitHub advisory #GHSA-r854-p5qj-x974

    CVE-2026-24775 - Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension

    πŸ“¦ In the new editor for collaborative documents based on BlockNote we added a custom extension that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary GET requests to any URL within the OpenProject instance.

    The vulnerability has been responsibly disclosed through the YesWeHack bounty program for OpenProject by Scott Curtis (syndrome_impostor). Thank you two for the responsible disclosure and your collaboration in this report!

    πŸ”’ For more information, please see the GitHub advisory #GHSA-35c6-x276-2pvc

    πŸ› Bug fixes and changes

    • πŸ›  Bugfix: Unable to change to earlier finish date for automatically scheduled successor [#65130]
    • πŸ›  Bugfix: Meeting outcomes cannot be saved with ctrl/cmd+enter [#69974]
    • πŸ›  Bugfix: AXe Accessibility error: invalid list structure [#70573]
    • πŸ›  Bugfix: Fix AXe Accessibility error: Navigation toggler must have discernible text [#70574]
    • πŸ›  Bugfix: Documents module is missing meaningfull html title [#70614]
    • πŸ›  Bugfix: Users with the "Manage Users" permission did not see links to Lock/Unlock users [#70796]
    • πŸ›  Bugfix: Cannot authorise OpenProject app with OpenProject when user has 2FA enabled [#70966]
    • πŸ›  Bugfix: Running docker slim image, runs slim-bim one [#70980]
    • πŸ›  Bugfix: 'For all projects' project attributes are not displayed during new project creation [#70982]
    • πŸ›  Bugfix: Fix revision parsing in git diff output [#71020]

  • v17.0.1 Changes

    January 16, 2026

    πŸš€ Release date: 2026-01-16

    πŸš€ We released OpenProject OpenProject 17.0.1.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    CVE-2026-23646 - Users can delete other user's session, causing them to be logged out

    Users in OpenProject have the ability to view and end their active sessions via Account Settings β†’ Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using DELETE /my/sessions/:id and thus unauthenticate other users.

    πŸ’» Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session.

    This vulnerability was assigned as CVE-2026-23646.
    πŸ”’ For more information, please see the GitHub Advisory GHSA-w422-xf8f-v4vp).

    The vulnerability has been responsibly disclosed through the YesWeHack bounty program for OpenProject. This bug bounty program is being sponsored by the European Commission.

    CVE-2026-23721 - Users with "View Members" permission in any project can view all Group memberships

    When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of.
    Due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group.

    This vulnerability was assigned as CVE-2026-23721.
    πŸ”’ For more information, please see the GitHub Advisory GHSA-vj77-wrc2-5h5h).

    The vulnerability has been responsibly disclosed through the YesWeHack bounty program for OpenProject. This bug bounty program is being sponsored by the European Commission.

    CVE-2026-23625 - Stored XSS regression on OpenProject using attachments and script-src self

    OpenProject versions >= 16.3.0, < 16.6.5, < 17.0.1 is affected by a stored XSS vulnerability in the Roadmap view. OpenProject’s roadmap view renders the β€œRelated work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page.

    This vulnerability was assigned as CVE-2026-23625.
    πŸ”’ For more information, please see the GitHub Advisory GHSA-cvpq-cc56-gwxx).

    The vulnerability has been responsibly disclosed through the YesWeHack bounty program for OpenProject. This bug bounty program is being sponsored by the European Commission.

    πŸ› Bug fixes and changes

    • πŸ›  Bugfix: BlockNote: OpenProject work packages are sorted by their ID instead of the last updated by [#67536]
    • πŸ›  Bugfix: Required project attributes not enforced on POST /api/v3/projects [#70107]
    • πŸ›  Bugfix: NoMethodError in Storages::Admin::AccessManagementController#update [#70492]
    • πŸ›  Bugfix: Form Configuration for Work Package Types does not properly validate Enterprise Plan [#70503]
    • πŸ›  Bugfix: PDF export with custom uploaded logo/fonts fails with some storage configurations (S3) [#70560]

  • v17.0.0 Changes

    January 14, 2026

    πŸš€ Release date: 2026-01-14

    πŸš€ We released OpenProject 17.0.0.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸš€ In these Release Notes, we will give an overview of important feature changes. At the end, you will find a complete list of all changes and bug fixes.

    Important feature changes

    πŸš€ Take a look at our release video showing the most important features introduced in OpenProject 17.0.0:

    Release video of OpenProject 17.0

    Real-time documents collaboration

    OpenProject 17.0 introduces real-time collaborative editing in the Documents module. Multiple users can work on the same document simultaneously, with live cursors, continuous updates, and automatic saving. The new BlockNote editor replaces the previous CKEditor-based documents for all installations where real-time collaboration is enabled.

    βš™ Real-time collaboration requires a running Hocuspocus server :

    • OpenProject Cloud : Real-time collaboration is enabled automatically for all Cloud instances.
    • Container-based on-premises installations (Docker, Docker Compose, Helm/Kubernetes): Intended to work out of the box with 17.0. A Hocuspocus service will be automatically provided as part of the standard setup.
    • πŸ“¦ Package-based installations (DEB/RPM): Does not include Hocuspocus. These installations will continue using CKEditor-based documents unless administrators set up their own Hocuspocus server and configure OpenProject accordingly.

    πŸ‘ When real-time editing is enabled, Documents support:

    • Live collaborative editing with visible cursors from all connected users.
    • ⚑️ Real-time updates in both edit and read-only mode.

    • πŸ“¦ Work package integration via slash commands:

      • Link or embed work packages as rich preview blocks.
      • Users without access see secure ghost references.

    • ⚑️ Continuously updating "last edited" timestamp.

    • List of connected users, including read-only viewers.

    • Automatic saving without a manual save button.

    • πŸ‘Œ Improved document layout with breadcrumbs, editable title, type selector, connected user avatars, and last-updated indicator.

    • Inline file uploads by dragging files directly into the editor.

    • ⚑️ Files panel that updates instantly and supports deleting attachments.

    • Editor skeleton displayed while loading.

    • Unified document URL (/documents/<id>) for both editing and viewing.

    Note

    βͺ If real-time collaboration is enabled but no functioning Hocuspocus server is reachable, OpenProject does not fall back to CKEditor. Instead, the document editor is temporarily hidden and an error banner is shown with an option to retry. Once the connection to the collaboration server is restored, the editor becomes available again automatically.

    πŸš€ OpenProject Documents module showing a document "Planning of the year 2026" with 3 active editors

    πŸš€ See our system admin guide for detailed information on real time collaboration with OpenProject.

    Programs and portfolios for strategic structuring (Enterprise add-on)

    OpenProject 17.0 introduces hierarchical workspaces to better organize large project landscapes. Customers of the Enterprise Premium plan can now structure related items β€” projects, programs, and portfolios β€” to align operational work with strategic goals.

    With this new hierarchy:

    • Projects represent operational work.
    • Programs group related projects into coordinated initiatives.
    • Portfolios provide a higher-level view across multiple programs and projects.

    Projects, programs, and portfolios all use the same familiar concept of an overview page with widgets, lifecycle dates and attributes. Portfolios and projects appear as top-level entries in the global navigation and project selector, while programs are accessed through portfolios.

    0️⃣ Creating workspaces also becomes more consistent: administrators can define default templates for programs, portfolios, and projects so that new items follow the correct structure from the start. When users create new entries through the Subitems widget or other creation shortcuts, both the parent hierarchy and the appropriate template are prefilled automatically.

    A dedicated global permission now controls who may create programs and portfolios, ensuring that the new hierarchy can be introduced in a controlled way.

    πŸš€ This update lays the foundation for future portfolio-level and program-level capabilities in OpenProject. See our user guide to learn more about the portfolio module (Enterprise add-on) in OpenProject.

    Note

    This new hierarchy is especially valuable for organizations working with structured project management frameworks such as PMΒ² or PMflex , where programs and portfolios play a central role.

    πŸš€ OpenProject portfolio in global menu

    πŸ‘ Better meeting management with draft mode, presentation mode, multiple outcomes, and iCal subscription

    πŸ“š OpenProject 17.0 introduces several great improvements that make meeting preparation and documentation more intuitive, structured, and efficient.

    Draft mode

    New meetings now open in draft mode , allowing moderators to prepare agendas, add participants, and structure content before sending out invitations or updates.

    ⚑️ A banner clearly indicates draft mode, and invitations are only sent once the meeting is explicitly opened by clicking on the green "Open meeting" button. Only then, invitations can be sent and the usual update behaviour applies.

    πŸš€ OpenProject meeting draft mode, indicated by a "Draft" status and a banner explaining draft mode. There is a green button "Open meeting in the upper right corner".

    πŸš€ See our user guide to learn more about meeting draft mode in OpenProject.

    Full-screen presentation mode

    The new presentation mode offers a distraction-free, full-screen view that focuses on the current agenda item. It shows the meeting title, agenda item details, and navigation controls in a clear layout, including:

    • a sticky header with the meeting title and exit button,
    • a sticky footer with progress, previous/next navigation and a running timer.

    Unlike the standard view, changes made by participants are reflected live in presentation mode, so moderators and attendees always see the current state of the agenda without additional pop-ups. Keyboard navigation using arrow keys is possible.

    πŸš€ See our user guide to learn how to present a meeting in OpenProject.

    Multiple text-based outcomes per agenda item

    Agenda items can now hold multiple text-based outcomes : The + Outcome button remains available while the meeting is In progress and allows moderators to record more than one result for the same item. The first outcome is labelled "Outcome", additional ones are numbered ("Outcome 1", "Outcome 2", and so on). These outcomes are also supported in the PDF exports of meetings. This feature is a preparation for future improvements, such as creating work packages as outcomes.

    πŸš€ OpenProject meeting which is in progess, below the first agenda item (a work package) are "Outcome 1" and "Outcome 2" displayed, and the + Outcome button is still available as well

    Unified β€œMy meetings” iCal subscription

    πŸ‘‰ To avoid duplicate or confusing calendar invites, users can now subscribe to all their meetings through a single iCal subscription URL from the My meetings page or settings. External calendars (for example Outlook, Apple Calendar, or Open-Xchange) stay in sync automatically. Individual .ics files remain available when needed, but sending them is now more clearly controlled via dedicated options when creating or updating meetings.

    πŸš€ My meetings page: Clicking on the More menu on the upper right corner opens a clickable option to "Subscribe to calendar"

    πŸš€ See our user guide to learn how to subscribe to OpenProject meetings.

    ⚑️ Updated SharePoint integration with more restrictive permissions (Enterprise add-on)

    Before OpenProject 17.0, the Microsoft 365 file storage integration was a single combined OneDrive/SharePoint integration available as an Enterprise add-on in the Professional plan. With this release, it is now split into two separate integrations β€” one for OneDrive and one for SharePoint β€” giving administrators clearer setup options and more flexibility.

    For the SharePoint integration, OpenProject 17.0 introduces support for Microsoft's Sites.Selected permission model. This allows administrators to grant the OpenProject Entra ...

  • v16.6.10 Changes

    March 31, 2026

    πŸš€ Release date: 2026-03-31

    πŸš€ We released OpenProject OpenProject 16.6.10.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string

    The =n operator in cost reports did not appropriately treat user input

    πŸ”’ This vulnerability was reported by user Ochk0 through a GitHub security advisory. Thank you for responsibly disclosing your findings.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-5rrm-6qmq-2364

    πŸ› Bug fixes and changes

  • v16.6.9 Changes

    March 16, 2026

    πŸš€ Release date: 2026-03-16

    πŸš€ We released OpenProject OpenProject 16.6.9.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    CVE-2026-32698 - SQL Injection via Custom Field Name can be chained to Remote Code Execution

    OpenProject is vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report. 

    As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced.

    Together with another bug in the Repositories module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application.

    As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above.

    This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-jqhf-rf9x-9rhx

    πŸ”’ CVE-2026-32703 - Repository files are served with the MIME type allowing them to be used to bypass Content Security Policy

    πŸ”’ When using the Repositories module in a project, it was possible to access the raw files via the browser with a URL like /projects/{project}/repository/revisions/{commit_id}/raw/{file}.js.raw. For those files, the MIME type was detected via the filename extension. For JavaScript and CSS files those files were then served from the same domain name as the application with the correct MIME type for active content and could be used to bypass the Content Security Policy. Together with other areas, where unsanitized HTML was served, this allowed persistent XSS attacks.

    πŸ”’ The MIME type detection for Repository files has been removed and files are served as application/octet-stream which will block their execution via the Content Security Policy.

    πŸ›  Two places that could be used to abuse this vulnerability have been fixed:

    The Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted.

    πŸ“¦ When a work package name contains HTML content and the work package is attached to a meeting, the work package name is rendered in the activities feed without proper sanitation.

    All of those vulnerabilities were reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-p423-72h4-fjvp

    πŸ› Bug fixes and changes

  • v16.6.8 Changes

    February 18, 2026

    πŸš€ Release date: 2026-02-18

    πŸš€ We released OpenProject OpenProject 16.6.8.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    CVE-2026-27006 - Path Traversal on OpenProject BIM Edition leads to Arbitrary File upload on BCF module, resulting in possible RCE when using file-based caching

    🐳 An authenticated attacker with BCF module access can write arbitrary files to any writable directory on the server through a path traversal vulnerability in the BCF import functionality. For docker-compose based installations, this can be expanded to a remote code execution using cache deserialization.

    This vulnerability was reported by user shafouzzz as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-4fvm-rrc8-mgch

    CVE-2026-27019 - Path Traversal via Incoming Email Attachments Leads to Arbitrary File Write and RCE

    πŸ”§ When OpenProject is configured to accept and handle incoming emails, it was possible that an attacker could send an email with a specially crafted attachment that would be written to a predefined location in the filesystem. All files that can be written by the openproject system user could be written. This could even be evaluated to a Remote Code Execution vulnerability.

    This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-r85w-rv9m-q784

    πŸ› Bug fixes and changes

  • v16.6.7 Changes

    February 06, 2026

    πŸš€ Release date: 2026-02-06

    πŸš€ We released OpenProject OpenProject 16.6.7.
    πŸš€ The release contains several bug fixes and we recommend updating to the newest version.
    πŸ›  Below you will find a complete list of all changes and bug fixes.

    πŸ”’ Security fixes

    GHSA-q523-c695-h3hp - Stored HTML injection on time tracking

    πŸ“¦ An HTML injection vulnerability occurs in the time tracking function of OpenProject version 17.0.2. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking.

    Responsibly disclosed by Researcher: Nguyen Truong Son (truongson526@gmail.com) through the GitHub advisory.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-q523-c695-h3hp

    GHSA-x37c-hcg5-r5m7 - Command Injection on OpenProject repositories leads to Remote Code Execution

    βœ… An arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the β€œlatest changes” view via git log.

    🌲 By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path.

    🌲 As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd.

    This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

    πŸ”’ For more information, please see the GitHub advisory #GHSA-x37c-hcg5-r5m7

    πŸ› Bug fixes and changes