openproject

v17.3.2 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 22d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 6 known CVEs

Topics

angular bcf boards bug-tracker gantt gantt-chart

+11 more

ifc issue-tracker kanban openproject project-management project-planning roadmap ruby scrum timeline workflows

Affected surfaces

auth rbac rce_ssrf breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 13d

Docker containers in this release abort startup if the `SECRET_KEY_BASE` environment variable is missing or invalid.

Why it matters: If `SECRET_KEY_BASE` is absent, container boot fails; ensure the required secret is set before deploying v17.3.2 to avoid downtime.

Summary

AI summary

SECRET_KEY_BASE validation now required, aborting boot if missing, forcing 2FA re‑authentication.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Meetings filter feature no longer leaks user names via GET parameter "filters". Meetings filter feature no longer leaks user names via GET parameter "filters". Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Change password behavior now validates passwords correctly, preventing session takeover bypass. Change password behavior now validates passwords correctly, preventing session takeover bypass. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	CostReportsController requires ownership verification for rename/update actions on public cost reports. CostReportsController requires ownership verification for rename/update actions on public cost reports. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	`GET /api/v3/shares` now verifies individual shared work package visibility, not just project level. `GET /api/v3/shares` now verifies individual shared work package visibility, not just project level. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Document update endpoint enforces authorization before applying attacker‑controlled attributes. Document update endpoint enforces authorization before applying attacker‑controlled attributes. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Docker containers now validate `SECRET_KEY_BASE` environment variable; otherwise, application aborts boot. Docker containers now validate `SECRET_KEY_BASE` environment variable; otherwise, application aborts boot. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Document PATCH API now enforces authorization before applying attributes. Document PATCH API now enforces authorization before applying attributes. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix
Bugfix	Medium	Performance impact of large Markdown/HTML templates fixed by tagfilter GFM extension update. Performance impact of large Markdown/HTML templates fixed by tagfilter GFM extension update. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Budget widget no longer breaks with many cost types defined. Budget widget no longer breaks with many cost types defined. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Direct login now compatible with mobile app authentication flow. Direct login now compatible with mobile app authentication flow. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Release date: 2026-05-13

We released OpenProject 17.3.2.
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.

Security fixes

GHSA-r85r-gjq2-f83r - Docker Container starts with SECRET_KEY_BASE default value

When an attacker knew the secret key base that the application used to derive internal keys from, they could construct encrypted cookies that on the server side were decoded using Object Marshalling which allowed the attacker to execute almost arbitrary ruby code within the container, up to a complete remote code execution. This was especially present in Docker containers that shipped with a default value as the secret key base, when it was not manually overwritten, as mentioned in the documentation.

As a fix, the docker containers now validate that a proper SECRET_KEY_BASE environment variable is set Otherwise the application aborts the boot process with an error message. The documentation has been updated to make it even clearer, that the SECRET_KEY_BASE env variable must be set. And the decoding of the encrypted cookies has been updated to use JSON encoding instead of Object Marshalling.

Administrators that have not set a SECRET_KEY_BASE environment before need to set one now. Otherwise the application will not boot.

This will force all users using 2 factor authentication to authenticate on their next login, even if they have saved a cookie to skip 2FA for the next 14 days.

This vulnerability was responsibly reported by GitHub user hkolvenbach.

For more information, please see the GitHub advisory #GHSA-r85r-gjq2-f83r

CVE-2026-44731 - Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure

The web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response.

This vulnerability was reported by user tuannq_gg as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-x7j3-cfgf-7mc4

CVE-2026-44732 - IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of Resources

OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated .

During update, attacker-controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user without :manage_documents in the source project can move and modify foreign project documents by setting project_id in a single PATCH request.

This vulnerability was reported by sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-mqvv-5mvc-7pg7

CVE-2026-44733 - Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements

A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeover.

This vulnerability was reported by user herdiyanitdev as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-px7f-cj9f-7m4m

CVE-2026-44734 - Improper Access Control on OpenProject through the POST request to /projects/[PROJECT_NAME]/cost_reports/[REPORT_ID]/rename

A Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or permission level.

An attacker who discovers or guesses a public report's numeric ID can rename or overwrite its filter configuration without any warning to the report's owner.

This vulnerability was reported by user herdiyanitdev as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-c767-34gh-gh2h

CVE-2026-44735 - Shares API Information Disclosure

The GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package.

This vulnerability was reported by GitHub user DAVIDAROCA27.

For more information, please see the GitHub advisory #GHSA-cfg3-f34w-9xx5

Bug fixes and changes

Bugfix: Performance impact of large Markdown/HTML templates caused by the tagfilter GFM extension [#74151]
Bugfix: Budget widget breaks when lots of cost types defined [#74189]
Bugfix: Direct login prevents authentication from mobile app [#74569]

Breaking Changes

Requires setting the `SECRET_KEY_BASE` env var; application aborts boot without it.

Security Fixes

GHSA-r85r-gjq2-f83r – Docker containers now validate `SECRET_KEY_BASE`; otherwise boot fails, preventing RCE via default secret key.
CVE-2026-44731 – Fixed improper access control leaking user names via /projects/[projectName]/meetings filter.
CVE-2026-44732 – Fixed IDOR allowing unauthorized modification of documents by manipulating `project_id` in PATCH requests.
CVE-2026-44733 – Fixed business‑logic flaw permitting password change without meeting requirements when taking over a session.
CVE-2026-44734 – Fixed missing authorization on cost report rename, enabling any authenticated user to modify public reports.
CVE-2026-44735 – Fixed shares API information disclosure; now respects per‑work‑package view permissions.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track openproject

Get notified when new releases ship.

About openproject

OpenProject is the leading open source project management software.

All releases →