Release date: 2026-02-18
We released OpenProject OpenProject 17.0.4.
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.
Security fixes
CVE-2026-26966 - Improper Access Control on OpenProject through /api/v3/queries via POST request allows unauthorized users to create project queries
A broken access control vulnerability exists in the /api/v3/queries endpoint that allows a normal authenticated user, without sufficient permissions, to create private project queries.
By reusing a valid request generated by an administrator and replacing the session cookie and CSRF token with those of a low-privileged user, the backend accepts the request and successfully creates the query.
This action should be restricted to authorized roles only. The issue demonstrates missing or improper authorization checks on query creation.
This vulnerability was reported by user slashx0x as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-5m66-2gm7-6jcc
CVE-2026-26968 - Improper Access Control on OpenProject instance through /api/v3/capabilities
The /api/v3/capabilities endpoint allows unauthorized enumeration of private project names and detailed permissions by specifying the built-in admin user ID as the principal.
While the API correctly prevents querying the capabilities of other users, the built-in Admin account remains resolvable.
Since projects use incremental values, and the built-in admin has visibility on all projects, this facilitates mapping of the entire openproject instance.
This vulnerability was reported by users syndrome_impostor and noidont as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-g62r-9rgf-h53q
CVE-2026-26969 - HTML Injection on OpenProject instance through project name
The application is vulnerable to HTML injection due to improper sanitization of user-supplied input for the project name.
An attacker can inject arbitrary HTML tags into the response, altering the structure of the page. and later while creating workpackages payload is executed.
This vulnerability was reported by user roro1702
as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-r4v5-h2fp-fhxf
CVE-2026-26970 - HTML injection on wiki updated mailer
An HTML injection vulnerability occurs in the wiki updated mailer function of OpenProject The application does not properly escape HTML tags, an attacker with invitation rights or users themselves when registrations are open can create a user name containing the HTML tags. If they then gain the permission to add or edit wiki pages, their author tag is not properly escaped in emails.
This vulnerability was reported by user yokokho as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-jrhg-mx22-57rm
CVE-2026-26971 - IDOR on Hourly Rates Controller allows deletion of Hourly Rates on other projects
A project-scoped hourly rates update endpoint in the Costs module allows deleting a target user’s hourly rates across all projects by sending a crafted request that omits the user parameter. The request is authorized only against the URL project (:project_id), but the deletion query is not scoped to that project, resulting in cross-project broken access control (horizontal privilege escalation).
This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-xh2h-jfr6-3qhc
CVE-2026-26976 - HTML Injection via Email Field in User Registration Leading to Malicious Notification Email to Instance Owner (Admin)
When anonymous registration is enabled, an unauthenticated attacker can submit a malicious payload in the email field during registration attempt (/account/register). Even when the registration fails due to the free plan user limit (10 active users), the system sends a notification email to the instance owner/admin warning that the user limit is reached. This email reflects the malicious email payload unescaped in the body/subject/content, allowing HTML injection.
This enables phishing, content spoofing, or (in rare cases with permissive email clients) limited XSS-like behavior in the admin's inbox.
This vulnerability was reported by user pdowski as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-6m5j-mp2j-cgmm
CVE-2026-27006 - Path Traversal on OpenProject BIM Edition leads to Arbitrary File upload on BCF module, resulting in possible RCE when using file-based caching
An authenticated attacker with BCF module access can write arbitrary files to any writable directory on the server through a path traversal vulnerability in the BCF import functionality. For docker-compose based installations, this can be expanded to a remote code execution using cache deserialization.
This vulnerability was reported by user shafouzzz as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-4fvm-rrc8-mgch
CVE-2026-27019 - Path Traversal via Incoming Email Attachments Leads to Arbitrary File Write and RCE
When OpenProject is configured to accept and handle incoming emails, it was possible that an attacker could send an email with a specially crafted attachment that would be written to a predefined location in the filesystem. All files that can be written by the openproject system user could be written. This could even be evaluated to a Remote Code Execution vulnerability.
This vulnerability was reported by user sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
For more information, please see the GitHub advisory #GHSA-r85w-rv9m-q784