OpenProject 17.3.3
Release date: 2026-06-08
We released OpenProject 17.3.3. The release contains several bug fixes and we recommend updating to the newest version. Below you will find a complete list of all changes and bug fixes.
Security fixes
CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-f2rx-x2qj-2hgj
GHSA-3vpx-94qx-xpw6 - IDOR through /projects//settings/project_storages/ via PATCH parameter “storages_project_storage[project_folder_id]” leads to Access to Unauthorized Resources
A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list.
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-3vpx-94qx-xpw6
GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter “user[admin]”
Turbo Drive auto-injects CSRF tokens (from <meta name="csrf-token">) on forms injected via the XSS's append Turbo Stream action. A second action, dispatch_event with name="submit", auto-submits the form with no victim interaction beyond viewing the work package, resulting in a CSRF attack
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-6crw-7f5r-4qj9
GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality
OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter.
The timestamp parser accepts a relative date keyword on the first line because its regular expression uses line anchors. The parser validates the input, but the original multi-line string is kept and later interpolated into a raw SQL CASE ... THEN '<timestamp>' expression.
An authenticated user who can save a query can persist a timestamp array value containing literal commas and trigger a top-level data-modifying CTE. This gives the attacker a generic database write primitive as the OpenProject application database role.
The demonstrated impact is administrator privilege escalation: the attacker uses that write primitive to update their own account record, setting the account's administrator flag to true. The same injection also allows in-band data disclosure through work-package timestamp metadata.
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-98vw-2r87-fx2r
GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others “storage..httpx_access_token” leads to Sensitive Data Exposure
OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis)
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-h83w-5q5x-pq27
GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter “description”
The HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim's authenticated browser session, redirecting them to an attacker-controlled server.
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-q33w-f822-hg8x
GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE)
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-qj96-f42f-6336