Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Blind SSRF on OpenProject instance via webhooks, and through /admin/test_email via POST request leads to internal network reconnaissanceGHSA-9wr7-j98g-2jh3 published
Mar 11, 2026 by machisujiLow -
Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgetsGHSA-gpvh-g967-g4h8 published
Mar 11, 2026 by machisujiModerate -
Users that are not project members can be used to calculate Labor Budget, leaking their global hourly rateGHSA-p747-569x-3v3f published
Mar 11, 2026 by machisujiModerate -
OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR)GHSA-q8c5-vpmm-xrxv published
Mar 11, 2026 by machisujiModerate -
Insecure Direct Object Reference in Project Storage Administrition Theft & Pre-Auth Remote Folder DeletionGHSA-v8cr-7x8f-78mq published
Feb 26, 2026 by klaustopherCritical -
Missing boundary check allows users with Manage Agenda Items permission in one project to create Agenda Items in Meetings in other projectsGHSA-c76v-8735-35hq published
Feb 26, 2026 by klaustopherModerate -
Authorization bypass via MCP endpointGHSA-w9w6-f59w-89vj published
Feb 26, 2026 by klaustopherModerate -
IDOR on OpenProject via PUT /work_packages/[workPackageId]/activities/[activityId]/toggle_reaction allows reader user to read internal commentsGHSA-3qgp-q2x5-c4jw published
Feb 26, 2026 by klaustopherModerate -
Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobberingGHSA-9rv2-9xv5-gpq8 published
Mar 11, 2026 by machisujiModerate -
Improper Authentication on OpenProject through /oauth/authorize via GET parameter "redirect_uri" when using mobile OAuth appGHSA-w92f-h4wh-g4w4 published
Feb 26, 2026 by klaustopherHigh
Learn more about advisories related to opf/openproject in the GitHub Advisory Database