Skip to content

Release history

openproject releases

OpenProject is the leading open source project management software.

Back to tool Latest release

All releases

29 shown

Config change
v17.4.0 Breaking risk
Auth

SECRET_KEY_BASE required

Open
Upgrade now
v17.3.2 Breaking risk
Auth RBAC RCE / SSRF +1 more

SECRET_KEY_BASE validation

Open
Upgrade now
v17.2.4 Breaking risk
Auth RBAC RCE / SSRF

SECRET_KEY_BASE enforcement

Open
v17.3.1 Breaking risk

Minor fixes and improvements.

Full changelog

Release date: 2026-04-20

We released OpenProject OpenProject 17.3.1.
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.

Bug fixes and changes

  • Bugfix: Some macros cannot be used (displayed behind modal) while creating a new child via relations tab [#62585]
  • Bugfix: The 'Reload' action in the banner about the meeting being updated in the background no longer auto-scrolls to the previous position [#70559]
  • Bugfix: Items multiplying on page and page becoming unresponsive when macros and code snippet are used [#73117]
  • Bugfix: Remove a 2FA device from a user as admin does not work [#73218]
  • Bugfix: Error when changing wp type from the wp list [#73224]
  • Bugfix: Internal error on custom actions form [#74131]
View release on GitHub
v17.3.0 Breaking risk
Security fixes
  • CVE-2026-33667
Notable features
  • Dedicated sprint objects for agile planning replacing versions
  • Automatic board creation when starting a sprint
  • Action boards now available in Community edition
View release on GitHub
v17.2.3 Security relevant
Security fixes
  • CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string (GHSA-5rrm-6qmq-2364)
View release on GitHub
v17.1.4 Security relevant
Security fixes
  • CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string (GHSA-5rrm-6qmq-2364)
View release on GitHub
v17.0.7 Security relevant
Security fixes
  • CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string (GHSA-5rrm-6qmq-2364)
View release on GitHub
v17.2.2 Bug fix

Fixed SMTP TLS test email delivery, webhook Content-Type header, and project version backlog field configuration issues.

View release on GitHub
v17.2.1 Security relevant
Security fixes
  • CVE-2026-32698 - Custom field SQL injection RCE
  • CVE-2026-32703 - Repository MIME type and filename XSS
View release on GitHub
v17.1.3 Security relevant
Security fixes
  • CVE-2026-32698 - Custom field SQL injection RCE
  • CVE-2026-32703 - Repository MIME type and filename XSS
View release on GitHub
v17.0.6 Security relevant
Security fixes
  • CVE-2026-32698 - Custom field SQL injection RCE
  • CVE-2026-32703 - Repository MIME type and filename XSS
View release on GitHub
v16.6.9 Security relevant
Security fixes
  • CVE-2026-32698 - Custom field SQL injection RCE
  • CVE-2026-32703 - Repository MIME type and filename XSS
View release on GitHub
v17.2.0 Security relevant
Security fixes
  • CVE-2026-30234 - BCF import path traversal arbitrary file read
  • CVE-2026-30235 - Markdown DOM clobbering page crash
  • CVE-2026-30236 - Budget calculation user rate exposure
View release on GitHub
v17.1.2 Security relevant
Security fixes
  • CVE-2026-27715 - User mention info disclosure
  • CVE-2026-27716 - Custom fields info disclosure
  • CVE-2026-27717 - Sprint rename IDOR
View release on GitHub
v17.0.5 Security relevant
Security fixes
  • CVE-2026-27715 - User mention info disclosure
  • CVE-2026-27716 - Custom fields info disclosure
  • CVE-2026-27717 - Sprint rename IDOR
View release on GitHub
v17.1.1 Security relevant
Security fixes
  • CVE-2026-26966 - Query creation auth bypass
  • CVE-2026-26968 - Capabilities enumeration
  • CVE-2026-26969 - Project HTML injection
View release on GitHub
v17.0.4 Security relevant
Security fixes
  • CVE-2026-26966 - Query creation auth bypass
  • CVE-2026-26968 - Capabilities enumeration
  • CVE-2026-26969 - Project HTML injection
View release on GitHub
v16.6.8 Security relevant
Security fixes
  • CVE-2026-27006 - BCF path traversal RCE
  • CVE-2026-27019 - Email attachment path traversal
View release on GitHub
v17.1.0 New feature
Notable features
  • configurable project initiation wizard
  • automatic work package creation
  • PDF artifact generation
View release on GitHub
v17.0.3 Security relevant
Security fixes
  • GHSA-q523-c695-h3hp - Time tracking HTML injection
  • GHSA-x37c-hcg5-r5m7 - Repository command injection RCE
View release on GitHub
v16.6.7 Security relevant
Security fixes
  • GHSA-q523-c695-h3hp - Time tracking HTML injection
  • GHSA-x37c-hcg5-r5m7 - Repository command injection RCE
View release on GitHub
v17.0.2 Security relevant
Security fixes
  • CVE-2026-24685 - Repository diff RCE
  • CVE-2026-24772 - Sync server SSRF/CSWSH
  • CVE-2026-24775 - BlockNote ID manipulation
View release on GitHub
v16.6.6 Security relevant
Security fixes
  • CVE-2026-24685 - Repository diff argument injection RCE
View release on GitHub
v17.0.1 Security relevant
Security fixes
  • CVE-2026-23646 - Unauthorized session deletion
  • CVE-2026-23721 - Group membership enumeration
  • CVE-2026-23625 - Stored XSS in roadmap
View release on GitHub
v16.6.5 Security relevant
Security fixes
  • CVE-2026-23646 - Unauthorized session deletion
  • CVE-2026-23721 - Group membership enumeration
  • CVE-2026-23625 - Stored XSS in roadmap
View release on GitHub
v17.0.0 New feature
Notable features
  • Real-time collaborative document editing with BlockNote editor and live cursors
  • Programs and Portfolios hierarchy for strategic planning (Enterprise Premium)
View release on GitHub
v16.6.4 Bug fix

Fixed incorrect processing of SVG file attachments that were being converted to PNG format, restoring proper file type handling in document management.

View release on GitHub

Beta — feedback welcome: [email protected]