Opf Openproject vulnerabilities
51 known vulnerabilities affecting opf/openproject.
Total CVEs
51
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH13MEDIUM29LOW2
Vulnerabilities
Page 2 of 3
CVE-2026-44735P3MEDIUMCVSS 6.5fixed in 17.3.22026-06-26
CVE-2026-44735 [MEDIUM] CWE-863 CVE-2026-44735: OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the G
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actu
nvd
CVE-2026-44734P3MEDIUMCVSS 6.5fixed in 17.3.22026-06-26
CVE-2026-44734 [MEDIUM] CWE-862 CVE-2026-44734: OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Mis
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or
nvd
CVE-2026-40896P3HIGHCVSS 7.1fixed in 17.3.02026-04-20
CVE-2026-40896 [HIGH] CWE-367 CVE-2026-40896: OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user w
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker
nvd
CVE-2026-30234P3MEDIUMCVSS 6.5fixed in 17.2.02026-03-11
CVE-2026-30234 [MEDIUM] CWE-22 CVE-2026-30234: OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authentica
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the value in markup.bcf is manipulated to contain an absolute or traversal local path (for example: /etc/passwd or ../../../../etc/passwd). During import, this untru
nvd
CVE-2026-52781P3MEDIUMCVSS 6.4fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-52781 [MEDIUM] CWE-79 CVE-2026-52781: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the H
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachm
nvd
CVE-2026-30239P3HIGHCVSS 7.1fixed in 17.2.02026-03-11
CVE-2026-30239 [HIGH] CWE-863 CVE-2026-30239: OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work pac
nvd
CVE-2023-31140P3MEDIUMCVSS 6.5v>= 7.4.0, < 12.5.42023-05-08
CVE-2023-31140 [MEDIUM] CWE-613 CVE-2023-31140: OpenProject is open source project management software. Starting with version 7.4.0 and prior to ver
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device o
nvd
CVE-2026-44733P3MEDIUMCVSS 5.9fixed in 17.3.22026-06-26
CVE-2026-44733 [MEDIUM] CWE-620 CVE-2026-44733: OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Busin
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements. A password validation flaw in the change password behavior allows attackers to change a user's password only with an active session takeo
nvd
CVE-2026-24777P3MEDIUMCVSS 6.7fixed in 17.0.22026-02-09
CVE-2026-24777 [MEDIUM] CWE-862 CVE-2026-24777: OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with th
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was no
nvd
CVE-2026-23646P3MEDIUMCVSS 6.5fixed in 16.6.5v= 17.0.02026-01-19
CVE-2026-23646 [MEDIUM] CWE-488 CVE-2026-23646: OpenProject is an open-source, web-based project management software. Users of OpenProject versions
OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session
nvd
CVE-2026-30235P3MEDIUMCVSS 6.5fixed in 17.2.02026-03-11
CVE-2026-30235 [MEDIUM] CWE-79 CVE-2026-30235: OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerab
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entir
nvd
CVE-2021-32763P4MEDIUMCVSS 6.5fixed in 11.3.32021-07-20
CVE-2021-32763 [MEDIUM] CWE-400 CVE-2021-32763: OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `` tags from the message being quoted. The `(.|\s)` part can match a space character
nvd
CVE-2026-44696P4MEDIUMCVSS 5.7fixed in 17.4.02026-06-26
CVE-2026-44696 [MEDIUM] CWE-79 CVE-2026-44696: OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's ri
OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This al
nvd
CVE-2026-52779P4MEDIUMCVSS 5.4fixed in 17.3.3v>= 17.4.0, < 17.4.12026-06-26
CVE-2026-52779 [MEDIUM] CWE-639 CVE-2026-52779: OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cro
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corre
nvd
CVE-2026-22604P4MEDIUMCVSS 5.3v>= 11.2.1, < 16.6.22026-01-10
CVE-2026-22604 [MEDIUM] CWE-200 CVE-2026-22604: OpenProject is an open-source, web-based project management software. For OpenProject versions from
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoi
nvd
CVE-2024-41801P4MEDIUMCVSS 6.1fixed in 14.3.02024-07-25
CVE-2024-41801 [MEDIUM] CWE-601 CVE-2024-41801: OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account. This vulnerability affects default
nvd
CVE-2026-27723P4MEDIUMCVSS 5.3fixed in 17.0.5fixed in 17.1.22026-03-05
CVE-2026-27723 [MEDIUM] CWE-284 CVE-2026-27723: OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 1
OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.
nvd
CVE-2026-32703P4MEDIUMCVSS 5.4fixed in 16.6.9v>= 17.0.0, < 17.0.6+2 more2026-03-18
CVE-2026-32703 [MEDIUM] CWE-79 CVE-2026-32703: OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 1
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected i
nvd
CVE-2025-24892P4MEDIUMCVSS 5.4fixed in 15.2.12025-02-10
CVE-2025-24892 [MEDIUM] CWE-79 CVE-2025-24892: OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version
nvd
CVE-2024-35224P4MEDIUMCVSS 5.4v>= 13.4.0, < 13.4.2fixed in 14.1.0+1 more2024-05-23
CVE-2024-35224 [MEDIUM] CWE-80 CVE-2024-35224: OpenProject is the leading open source project management software. OpenProject utilizes `tablesorte
OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin
nvd