Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Unsufficient access control leads to create Wiki objects belongs unpermitted projectsGHSA-9gc6-3xjq-pwc9 published
Mar 5, 2026 by klaustopherModerate -
IDOR on OpenProject allows any user to overwrite any sprint/version titleGHSA-p3hw-5g6p-69f2 published
Feb 26, 2026 by klaustopherModerate -
IDOR on backlog stories allows leaking of work package subjectGHSA-xfmm-g339-3x85 published
Feb 26, 2026 by klaustopherModerate -
Information disclosure on OpenProject through /api/v3/custom_fields/{id}/itemsGHSA-qpg6-635j-wjc2 published
Feb 26, 2026 by klaustopherModerate -
IDOR on OpenProject through /meetings/{meeting_id}/agenda_items/{id}/move_to_section via POST requestGHSA-xw8w-4qxm-g9gv published
Feb 26, 2026 by klaustopherModerate -
Stored HTML Injection via MentionFilter Bypass Leads to Credential Harvesting in Email NotificationsGHSA-cxm3-9m5g-9cq4 published
Feb 26, 2026 by klaustopherLow -
User mentions result in information disclosure of user namesGHSA-j4m9-7hff-8qgr published
Feb 26, 2026 by klaustopherModerate -
Authorization flaw in API grids endpoint leads to erase another user widgetGHSA-7xv7-73x4-qqvp published
Feb 26, 2026 by klaustopherModerate -
Path Traversal via Incoming Email Attachments Leads to Arbitrary File Write and RCEGHSA-r85w-rv9m-q784 published
Feb 18, 2026 by oliverguentherCritical -
Path Traversal on OpenProject BIM Edition leads to Arbitrary File upload on BCF module, resulting in possible RCE when using file-based cachingGHSA-4fvm-rrc8-mgch published
Feb 18, 2026 by oliverguentherCritical
Learn more about advisories related to opf/openproject in the GitHub Advisory Database