cbcvebase.

Opf Openproject vulnerabilities

51 known vulnerabilities affecting opf/openproject.

Total CVEs
51
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH13MEDIUM29LOW2

Vulnerabilities

Page 1 of 3
CVE-2023-33960P3HIGHCVSS 7.5PoCfixed in 12.5.62023-06-01
CVE-2023-33960 [HIGH] CWE-200 CVE-2023-33960: OpenProject is web-based project management software. For any OpenProject installation, a `robots.tx OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as
nvd
CVE-2026-25763P2CRITICALCVSS 9.9fixed in 16.6.7fixed in 17.0.32026-02-06
CVE-2026-25763 [CRITICAL] CWE-78 CVE-2026-25763: OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 1 OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example,
nvd
CVE-2026-52782P2CRITICALCVSS 9.9fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-52782 [CRITICAL] CWE-639 CVE-2026-52782: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/project_storages/ via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder
nvd
CVE-2026-46386P2CRITICALCVSS 9.9v>= 8.3.0, < 17.2.4v>= 17.3.0, < 17.3.22026-06-26
CVE-2026-46386 [CRITICAL] CWE-502 CVE-2026-46386: OpenProject is open-source, web-based project management software. Prior to , the official openproje OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_fac
nvd
CVE-2026-52785P2CRITICALCVSS 9.9fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-52785 [CRITICAL] CWE-89 CVE-2026-52785: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.
nvd
CVE-2026-24685P2HIGHCVSS 8.8fixed in 16.6.6v>= 17.0.0, < 17.0.22026-01-28
CVE-2026-24685 [HIGH] CWE-77 CVE-2026-24685: OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 1 OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `re
nvd
CVE-2026-22600P3CRITICALCVSS 9.1fixed in 16.6.42026-01-10
CVE-2026-22600 [CRITICAL] CWE-200 CVE-2026-22600: OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulner OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing eng
nvd
CVE-2026-52780P3CRITICALCVSS 9.6fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-52780 [CRITICAL] CWE-20 CVE-2026-52780: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.
nvd
CVE-2026-24772P3CRITICALCVSS 9.0vOpenProject >= 17.0.0, < 17.0.2vopenproject/hocuspocus < 17.0.22026-01-28
CVE-2026-24772 [CRITICAL] CWE-345 CVE-2026-24772: OpenProject is an open-source, web-based project management software. To enable the real time collab OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. T
nvd
CVE-2021-43830P3HIGHCVSS 8.8v>= 12.0.0, < 12.0.42021-12-14
CVE-2021-43830 [HIGH] CWE-89 CVE-2021-43830: OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerabl OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has b
nvd
CVE-2026-52784P3HIGHCVSS 8.8fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-52784 [HIGH] CWE-352 CVE-2026-52784: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.
nvd
CVE-2026-52783P3HIGHCVSS 8.2fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-52783 [HIGH] CWE-313 CVE-2026-52783: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenP OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage..httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Writ
nvd
CVE-2026-33667P3HIGHCVSS 7.4fixed in 17.3.02026-04-15
CVE-2026-33667 [HIGH] CWE-307 CVE-2026-33667: OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP v OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does no
nvd
CVE-2026-22601P3HIGHCVSS 7.2fixed in 16.6.22026-01-10
CVE-2026-22601 [HIGH] CWE-77 CVE-2026-22601: OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
nvd
CVE-2026-34717P3HIGHCVSS 8.1fixed in 17.2.32026-04-02
CVE-2026-34717 [HIGH] CWE-89 CVE-2026-34717: OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the = OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.
nvd
CVE-2026-32698P3HIGHCVSS 7.2fixed in 16.6.9v>= 17.0.0, < 17.0.6+2 more2026-03-18
CVE-2026-32698 [HIGH] CWE-89 CVE-2026-32698: OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0 OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query without proper sanitation. This allowed an attacker to e
nvd
CVE-2026-47193P3HIGHCVSS 7.5fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-47193 [HIGH] CWE-200 CVE-2026-47193: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the j OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.
nvd
CVE-2026-24775P3HIGHCVSS 7.3v>= 17.0.0, < 17.0.22026-01-28
CVE-2026-24775 [HIGH] CWE-345 CVE-2026-24775: OpenProject is an open-source, web-based project management software. In the new editor for collabor OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work pa
nvd
CVE-2026-22603P3MEDIUMCVSS 6.5fixed in 16.6.22026-01-10
CVE-2026-22603 [MEDIUM] CWE-307 CVE-2026-22603: OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenP OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlim
nvd
CVE-2026-44736P3MEDIUMCVSS 6.5fixed in 17.4.02026-06-26
CVE-2026-44736 [MEDIUM] CWE-200 CVE-2026-44736: OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/ OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject (title) of work packages they have no permission to view — by supplying an arbitrary work package ID in the involved, fromId, or toId filter. This bypasses the Re
nvd
Opf Openproject vulnerabilities | cvebase