opf/openproject v17.5.0

OpenProject 17.5.0

on GitHub

Release date: 2026-06-10

We released OpenProject 17.5.0. The release contains several bug fixes and we recommend updating to the newest version. In these Release Notes, we will give an overview of important feature changes. At the end, you will find a complete list of all changes and bug fixes.

Important feature changes

Take a look at our release video showing the most important features introduced in OpenProject 17.5.0:

Release video of OpenProject 17.5

Project-based work package identifiers for clearer references and Jira migrations

OpenProject 17.5 introduces optional project-based work package identifiers in Beta. Administrators can choose between the default numerical sequence and project-based IDs for the entire OpenProject instance.

Project-based work package identifiers are especially useful for organizations migrating from Jira, as existing Jira issue identifiers can now be preserved in OpenProject. Beyond migrations, project-based IDs provide shorter sequence numbers and clearer project context, making it easier to recognize, reference, and share work packages across projects, emails, documents, chats, and integrations.

Switching between numerical and project-based IDs

Switching to project-based work package identifiers is an instance-wide administrative change that affects how work packages are referenced throughout OpenProject. Administrators should communicate the change to users before enabling it in production environments, as work package identifiers, URLs, and references will use the new format. OpenProject validates existing project identifiers and can automatically generate shorter, compatible identifiers where necessary.

Support across URLs, searches, exports, and integrations

Even in Beta, project-based work package identifiers are supported across important areas of OpenProject, including URLs, searches, filters, exports, email notifications, APIs, and work package references in Documents and text editors.

Existing integrations such as GitHub and GitLab already support the new identifier format.

See our system admin guide for detailed information on how to manage work package identifiers.

Releasing unused numerical identifiers

When switching from the default numerical sequence to project-based work package identifiers, previously reserved numerical identifiers can be released again if they are no longer needed. This helps administrators avoid unnecessary gaps and keep numerical identifiers available if they later revert to the default sequence.

Jira Migrator support for Jira identifiers, due dates, and more

OpenProject 17.5 further improves the Jira Migrator that was introduced in Beta with OpenProject 17.4. Jira issue identifiers can now be preserved during migration when using project-based work package identifiers.

This helps organizations maintain existing references, naming conventions, and established workflows when transitioning from Jira to OpenProject.

In addition to Jira identifiers, OpenProject 17.5 also adds support for migrating due dates, estimated hours, and remaining hours. Read more about the Jira Migrator in our documentation.

Option to exclude work package types from Backlogs

OpenProject 17.5 introduces more flexible backlog configuration by allowing project administrators to exclude specific work package types from Backlogs. This helps teams keep sprint planning and backlog refinement focused on actionable work items.

For example, higher-level planning items such as Epics or Milestones can now be excluded from backlog views while still remaining available elsewhere in the project. The configuration is available in the Backlogs project settings and can be customized per project.

OpenProject 17.5 also extends project-specific "done" status configuration to the Backlogs module. Work packages with statuses configured as done are now handled consistently across backlog views and sprint completion. For example, teams can treat development work as complete once testing is finished, even if documentation tasks remain open, allowing sprints to be completed without carrying over already finished development work.

Read more about the OpenProject Backlogs module.

Redesigned sprint views and work package cards

OpenProject 17.5 redesigns sprint headers, backlog containers, and work package cards in the Backlogs module to improve readability and usability during agile planning.

Sprint views now provide clearer visual hierarchy, more consistent actions, and improved visibility of important information such as parent work packages, story points, priorities, assignees, and sprint status. Work package cards have also been redesigned to make important work item details easier to scan during sprint planning and backlog refinement.

Allow inline work package links within text paragraphs in the Documents module

OpenProject 17.5 makes it easier to reference work packages naturally within Documents, which use the BlockNote editor. Work package links can now be inserted directly inside text paragraphs instead of always appearing as separate blocks.

This allows teams to create more readable and structured documentation while still linking directly to relevant work packages. Inline work package links behave like regular inline elements and continue to open the referenced work package in a new tab.

Read more about OpenProject's Documents module.

Expanded work package mentions in CKEditor

OpenProject 17.5 also improves work package references in CKEditor-based text fields such as work package descriptions, agenda items in meetings, and wiki pages.

Work package mentions using the ## and ### notation now expand directly inside the editor. Instead of displaying only the identifier, OpenProject now shows additional context such as the work package type, status, and subject while still editing.

This makes referenced work packages easier to recognize without leaving the editor.

Monthly scheduling options for meeting series

OpenProject 17.5 adds more flexible scheduling options for recurring meetings. Meeting series can now repeat monthly based on patterns such as the first Monday or last Friday of a month.

This makes it easier to schedule recurring coordination meetings, steering committees, retrospectives, or review meetings that follow common organizational schedules.

Debounce meeting emails to reduce email noise

OpenProject 17.5 improves meeting-related email behavior by reducing unnecessary update emails while meetings are actively edited.

Instead of sending an email for every small change, OpenProject now consolidates multiple meeting updates into fewer emails. Emails are only sent after no further changes have been made for one minute. This helps reduce inbox noise during collaborative meeting preparation and editing.

Read more about OpenProject's Meetings module.

Allow multi-selection of roles in workflow

OpenProject 17.5 improves workflow administration by allowing administrators to select and configure multiple roles at once in the workflow configuration. This makes it easier and faster to manage workflows across complex role setups and reduces repetitive configuration work for administrators.

Important updates and breaking changes

Sprint sharing moved to the Corporate plan

With OpenProject 17.5, sprint sharing across projects is now part of the Corporate plan. Existing sprint sharing configurations remain available after updating, but creating, modifying, or reactivating shared sprint configurations now requires the Corporate plan.

Sprint sharing was introduced to support scaled agile planning scenarios across multiple projects and teams. Moving the feature to the Corporate plan allows OpenProject to continue investing in advanced cross-project planning capabilities for larger organizational setups.

Session authentication relies on new header for non-GET requests

Previously when making session-authenticated requests to APIv3 endpoints, non-GET requests were only allowed when the
HTTP Header X-Requested-With: XMLHttpRequest was present. This header is usually associated with frameworks such as jQuery,
but is also added for all requests originating from the OpenProject frontend still. For session authentication it served the
purpose of preventing cross-site request forgery, e.g. through simple HTTP forms.

The usage of this header has now been replaced with a check for Sec-Fetch-Site: same-origin, which is added by a browser automatically
to requests and also can't be added or altered through JavaScript. It's unlikely that this causes any disruptions, because session authentication
should only be used for browser-contexts, where the new header will still be present. Non-browser API-access should use different authentication
methods (e.g. OAuth or API tokens), which are not affected by this change.

SSRF protection for the SAML integration

In previous releases, we have introduced improved mechanisms to prevent Server-Side Request Forgery (SSRF) for integrations that communicate with external hosts. In this release, we have extended the SSRF protections to SAML.

In most installations, this will not require any changes.
However, if you operate your SAML using internal IP addresses, you may need to add your IP or range to the OPENPROJECT_SSRF_PROTECTION_IP_ALLOWLIST configuration. Please see the configuration guide for SSRF for more information.

We'd like to thank GitHub user @aslantugay for reporting on the SAML integration still lacking SSRF protection as part of GitHub advisory GHSA-mq29-cmv3-rcmr.

Security fixes

CVE-2026-52779 - Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects

A cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions.

This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.

For more information, please see the GitHub advisory #GHSA-jrx5-px3f-vfq4

Bug fixes and changes

• Feature: Exclude certain work package types from automated backlog (per project) [#71305]
• Feature: Container header (Sprint/Bucket/Inbox) restyling [#72945]
• Feature: Restyled work package card in "Backlogs and sprints" view [#73089]
• Feature: Bring sprint sharing (SAFe) to corporate plan [#74147]
• Feature: Create work package links through # notation in documents / BlockNote [#73664]
• Feature: Create a WorkPackageCard component [#73968]
• Feature: Extend the SubHeader component to support quick filter components [#73972]
• Feature: Jira Migrator imports project-based semantic issue identifiers [#72427]
• Feature: Jira Migrator supports due date, estimated hours and remaining hours. [#74807]
• Feature: Meeting series: Add monthly scheduling options [#61522]
• Feature: Debounce emails for meetings [#66645]
• Feature: Primerize Types form configuration page [#69524]
• Feature: Expand work package mentions (##, ###) macros inside CKEditor [#74641]
• Feature: Allow Custom Fields on UserQuery [#74758]
• Feature: Primerize users administration to allow all filters [#74763]
• Feature: Workflows UX improvement: Allow multi-selection of roles in workflow [#72242]
• Feature: Administration setting for project-based work package identifiers [#71633]
• Feature: Background job for converting project-based semantic work package identifiers [#71645]
• Feature: Allow inline Work Package links within text paragraphs in the Documents module [#72817]
• Feature: Adapt creation of projects through the API for semantic identifiers [#73175]
• Feature: Define database model for project-based work package identifiers [#73315]
• Feature: Adapt work package show view for project-based semantic work package identifiers [#73716]
• Feature: Adapt work package lists for project-based semantic work package identifiers [#73717]
• Feature: Adapt routes for project-based semantic work package identifiers [#73756]
• Feature: Search work packages by their identifier [#73761]
• Feature: Adapt email notifications for project-based work package identifiers [#73827]
• Feature: Adapt work package link blocks in BlockNote for project-based semantic work package identifiers [#74115]
• Feature: Adapt work package links in CKEditor for project-based semantic work package identifiers [#74116]
• Feature: Adapt GitHub and GitLab modules for semantic identifiers [#74364]
• Feature: Adapt work package PDF exports for semantic identifiers [#74366]
• Feature: Add better progress indicator to identifier conversion page [#74903]
• Feature: Put "Beta" label on the setting for enabling semantic identifiers [#74975]
• Feature: Admin panel for releasing old classic project aliases [#74992]
• Bugfix: Closed work packages are still considered to be part of the bucket. [#74773]
• Bugfix: Inconsistent handling of "Definition of Done" [#74796]
• Bugfix: Backlogs: Missing space on mobile [#75188]
• Bugfix: Sprint field is sometimes not visible on the wp page [#75194]
• Bugfix: Backlog settings tab switching doesn't persist in url [#75239]
• Bugfix: No "Undisclosed" mention for the parent work package on the wp card for a user without permissions to see the parent [#75241]
• Bugfix: Incorrect resize behavior for pasted inline-links [#74190]
• Bugfix: Inserting "#" inside text removes content after cursor [#74325]
• Bugfix: Сards converting to hash links on copy-paste and DnD [#74327]
• Bugfix: Type colors are not applied correctly at the beginning [#74330]
• Bugfix: Inconsistent contrast for type colors when switching themes [#74332]
• Bugfix: Dropdown option order changes depending on selected item [#74333]
• Bugfix: Inconsistent inline-link heights in text flow [#74341]
• Bugfix: Inline work package chip has no visual highlight when selected [#74385]
• Bugfix: Arrow-down selection for link work package block prevented by tooltip [#74393]
• Bugfix: Wrong cursor placement after inserting links to Work Packages in BlockNote [#74397]
• Bugfix: Improve size menu and remove L+XL blocks [#74651]
• Bugfix: Click position is lost when activating an inline edit field [#72837]
• Bugfix: Doubled scrollbar on a Board [#73714]
• Bugfix: Quick filters don't react good to medium screen sizes [#74832]
• Bugfix: Hide pagination buttons when they are disabled [#75258]
• Bugfix: Horizontal ellipsis button misaligned when text expanded on Permissions Report/Workflows pages [#75275]
• Bugfix: Jira Migrator: misalignement between the status badge and the import name [#72840]
• Bugfix: Imprecise error for unallowed IP when testing Jira connection [#75031]
• Bugfix: Imprecise error for SSL errors when testing Jira connection [#75032]
• Bugfix: Jira Migrator cannot import a user with non-alphanumeric characters in their name [#75238]
• Bugfix: Jira Migrator stops the import for non-existing user in user mention [#75248]
• Bugfix: Remove extra space in Jira Migrator backup warning dialog [#75353]
• Bugfix: Jira Migrator does not scope issues between import runs. [#75355]
• Bugfix: Jira Migrator shows 0 issues info if server does not include the data in serverInfo endpoint [#75380]
• Bugfix: Jira Migrator gives unhelpful error message if user email is blank [#75381]
• Bugfix: No way to find jira import run history page [#75382]
• Bugfix: Enabled rate limiting on Jira instance breaks projects selector. [#75391]
• Bugfix: Wrong wording on import page in admin [#75422]
• Bugfix: Jira Migrator: Do not disable the new configuration button if the instance is not switched to semantic identifiers [#75674]
• Bugfix: Cancel occurence action item is called 'Delete' on My Meetings page and Meeting index page 'Past' tab [#74303]
• Bugfix: User cannot restore a cancelled occurrence if series has a deleted WP on the agenda [#74304]
• Bugfix: Show default section more clearly when using the section selector for a meeting with no sections [#74321]
• Bugfix: Meetings endpoint /api/v3/recurring_meetings/:id/occurrences/:start_time/init is not properly authorized [#75449]
• Bugfix: ActiveRecord::InvalidForeignKey on RecurringMeetingsController#end_series [#75463]
• Bugfix: Work package configuration dialog's highlighting tab has no space between radio buttons and labels [#64359]
• Bugfix: Log time modal dropdown's bottom border is indistignuishable from the modal's bottom border [#65523]
• Bugfix: Wrong calendar week in My time tracking [#68272]
• Bugfix: Asterisks on Project attributes displaced [#68633]
• Bugfix: [Meetings] Exception raised while trying to update Stale Object [#68703]
• Bugfix: Clicking work package tabs triggers page reload and flickering [#69210]
• Bugfix: Mobile - Include project on WP list is missing spacing [#69451]
• Bugfix: Roles selectable as "Role given to a non-admin user who creates a project" that lack essential permissions [#69496]
• Bugfix: Text overflow in Baseline modal banner [#69526]
• Bugfix: Fix accessibility errors found by ERB Lint [#70166]
• Bugfix: Role not created properly when unselecting all permissions [#73494]
• Bugfix: POST/PATCH/DELETE requests to APIv3 return unauthorized [#73499]
• Bugfix: "Upgrade" button label should not be underlined [#73570]
• Bugfix: Not possible to filter for blocked users in time and cost report [#73660]
• Bugfix: Not possible to follow link custom field from work package list view [#73673]
• Bugfix: Black font in dark mode on wp description [#74697]
• Bugfix: Add upcoming/past filter to meetings index page filters [#74743]
• Bugfix: Redirect to /login is missing the URL query params [#74778]
• Bugfix: Missing space between user avatar and name [#74853]
• Bugfix: LDAP seeding via OPENPROJECT_SEED_LDAP_* uses a different (and self-contradictory) key convention than the rest of the env-var settings [#75361]
• Bugfix: Incorrect confirmation message when deleting a OAuth token [#72958]
• Bugfix: Roles select panel button should be "Apply" [#74560]
• Bugfix: Nextcloud integration shows "No connection to Nextcloud" for folders that have "&" in the name [#73855]
• Bugfix: Shared work package not showing images of comments [#69056]
• Bugfix: Lists of work packages should sort correctly by semantic id [#74156]
• Bugfix: Automatically converting project identifiers should not lead to usage of reserved keywords [#74161]
• Bugfix: Moving work packages after switching to semantic and back should not lead to errors [#74192]
• Bugfix: After migration job is complete save button is visible and clicking it triggers a 404 [#74623]
• Bugfix: Admin page for semantic IDs: grammatical issue [#74681]
• Bugfix: Admin page for semantic IDs: long ids cause overflow [#74730]
• Bugfix: Numeric ID still in the URL of the link opened from the email notification [#74760]
• Bugfix: Numeric ID in the email notification after adding watchers [#74762]
• Bugfix: Numeric ID copied instead of semantic ID in "Copy work package ID" on Backlogs page [#74826]
• Bugfix: Numeric ID in URL of the wp link when opened from search results [#74834]
• Bugfix: Semantic ID is not shown in search results in different places [#74844]
• Bugfix: Numeric ID instead of semantic one in the spent time calendar [#74900]
• Bugfix: Numeric ID instead of semantic one on the Activity page [#74912]
• Bugfix: Numeric ID instead of semantic one in Roadmap [#74913]
• Bugfix: Numeric ID instead of semantic one in bulk edit work packages [#74926]
• Bugfix: Unable to change a parent on bulk edit of work packages with semantic ID [#74927]
• Bugfix: Numeric ID instead of semantic one on the error message on bulk edit [#74928]
• Bugfix: Numeric ID instead of semantic one on the table of related work packages [#74942]
• Bugfix: Numeric ID instead of semantic one on the Time and costs report [#74943]
• Bugfix: Numeric ID instead of semantic one on the wp delete confirmation dialogue [#74944]
• Bugfix: All-numeric project identifiers are not properly handled in classic mode [#74993]
• Bugfix: Numeric ID visible in edit mode in links with # [#75180]
• Bugfix: Inconsistent naming on admin page [#75362]
• Bugfix: Reserved project identifiers: UI fails silently with 404 console error when acting on a deleted project [#75483]
• Bugfix: workPackageValue:ID:attribute macros failing with semantic IDs [#75574]
• Bugfix: Numeric ID showing in Github tab on work packages without links to PRs [#75636]

Contributions

A very special thank you goes to Helmholtz-Zentrum Berlin, City of Cologne, Deutsche Bahn and ZenDiS for sponsoring released or upcoming features. Your support, alongside the efforts of our amazing Community, helps drive these innovations.

Also a big thanks to our Community members for reporting bugs and helping us identify and provide fixes. Special thanks for reporting and finding bugs go to Walid Ibrahim, billy kenne, and Agustín Dall'Alba.

Last but not least, we are very grateful for our very engaged translation contributors on Crowdin, who translated quite a few OpenProject strings! This release we would like to particularly thank the following users:

• Đorđe Dželebdžić, for an outstanding number of translations into Serbian (Cyrillic).
• tuananhhurc, for a great number of translations into Vietnamese.

Would you like to help out with translations yourself? Then take a look at our translation guide and find out exactly how you can contribute. It is very much appreciated!