Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Improper Access Control on openproject through /api/v3/custom_options/:id via Path "id" leads to Sensitive Data ExposureGHSA-wr3w-qchj-p4cm published
Jul 8, 2026 by oliverguentherModerate -
Improper Access Control on openproject through /api/v3/work_packages/<X.id> via PATCH parameter "fileLinks"GHSA-c6rc-4288-8p4f published
Jul 8, 2026 by oliverguentherHigh -
Private work package subject/identity disclosure through the global Time Entries and Cost Entries APIs (linked work package rendered without visibility check)GHSA-v3j7-vqwv-5w5q published
Jul 8, 2026 by oliverguentherModerate -
Inplace-edit dialog exposes comments from hidden admin-only project custom fieldsGHSA-63fg-pgqj-3qf8 published
Jul 8, 2026 by oliverguentherModerate -
SQL injection in timestamps functionalityGHSA-98vw-2r87-fx2r published
Jun 8, 2026 by oliverguentherCritical -
CSRF on TARGET through /users/:id via POST parameter "user[admin]"GHSA-6crw-7f5r-4qj9 published
Jun 8, 2026 by oliverguentherHigh -
Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"GHSA-q33w-f822-hg8x published
Jun 8, 2026 by oliverguentherModerate -
Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data ExposureGHSA-h83w-5q5x-pq27 published
Jun 8, 2026 by oliverguentherHigh -
IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized ResourcesGHSA-3vpx-94qx-xpw6 published
Jun 8, 2026 by oliverguentherCritical -
Cache store poisoning leads to Remote Code Execution (RCE)GHSA-qj96-f42f-6336 published
Jun 8, 2026 by oliverguentherCritical
Learn more about advisories related to opf/openproject in the GitHub Advisory Database