Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
SQL injection in timestamps functionalityGHSA-98vw-2r87-fx2r published
Jun 8, 2026 by oliverguentherCritical -
CSRF on TARGET through /users/:id via POST parameter "user[admin]"GHSA-6crw-7f5r-4qj9 published
Jun 8, 2026 by oliverguentherHigh -
Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"GHSA-q33w-f822-hg8x published
Jun 8, 2026 by oliverguentherModerate -
Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data ExposureGHSA-h83w-5q5x-pq27 published
Jun 8, 2026 by oliverguentherHigh -
IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized ResourcesGHSA-3vpx-94qx-xpw6 published
Jun 8, 2026 by oliverguentherCritical -
Cache store poisoning leads to Remote Code Execution (RCE)GHSA-qj96-f42f-6336 published
Jun 8, 2026 by oliverguentherCritical -
Private work package data disclosure through single meeting agenda item APIGHSA-g387-6rm2-xw88 published
Jun 8, 2026 by oliverguentherModerate -
Journal diff endpoint bypasses object, journal, and field visibility checksGHSA-f2rx-x2qj-2hgj published
Jun 8, 2026 by oliverguentherHigh -
Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`GHSA-r85r-gjq2-f83r published
May 13, 2026 by oliverguentherCritical -
Improper Access Control on OpenProject through the POST request to /projects/[PROJECT_NAME]/cost_reports/[REPORT_ID]/renameGHSA-c767-34gh-gh2h published
May 13, 2026 by oliverguentherModerate
Learn more about advisories related to opf/openproject in the GitHub Advisory Database