Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
SQL injection in timestamps functionalityGHSA-98vw-2r87-fx2r published
Jun 8, 2026 by oliverguentherCritical -
CSRF on TARGET through /users/:id via POST parameter "user[admin]"GHSA-6crw-7f5r-4qj9 published
Jun 8, 2026 by oliverguentherHigh -
Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"GHSA-q33w-f822-hg8x published
Jun 8, 2026 by oliverguentherModerate -
Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data ExposureGHSA-h83w-5q5x-pq27 published
Jun 8, 2026 by oliverguentherHigh -
IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized ResourcesGHSA-3vpx-94qx-xpw6 published
Jun 8, 2026 by oliverguentherCritical -
Cache store poisoning leads to Remote Code Execution (RCE)GHSA-qj96-f42f-6336 published
Jun 8, 2026 by oliverguentherCritical -
View-only project member can restore cancelled recurring meeting occurrence via APIGHSA-3j89-3273-84f5 published
Jul 1, 2026 by oliverguentherModerate -
LDAP on-the-fly users bypass OpenProject brute-force protection before local user creationGHSA-vhfq-8mwf-g79w published
Jul 1, 2026 by oliverguentherModerate -
Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projectsGHSA-jrx5-px3f-vfq4 published
Jun 10, 2026 by oliverguentherModerate -
Private work package data disclosure through single meeting agenda item APIGHSA-g387-6rm2-xw88 published
Jun 8, 2026 by oliverguentherModerate
Learn more about advisories related to opf/openproject in the GitHub Advisory Database