Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Improper Access Control on User Management allows user managers to lock admin accountsGHSA-fq66-cwg6-qq69 published
Feb 9, 2026 by klaustopherModerate -
Users can delete other user's session, causing them to be logged outGHSA-w422-xf8f-v4vp published
Jan 19, 2026 by klaustopherModerate -
Users with "View Members" permission in any project can view all Group membershipsGHSA-vj77-wrc2-5h5h published
Jan 19, 2026 by klaustopherModerate -
Stored XSS regression on OpenProject using attachments and script-src selfGHSA-cvpq-cc56-gwxx published
Jan 19, 2026 by klaustopherHigh -
Arbitrary File Read via ImageMagick SVG CoderGHSA-m8f2-cwpq-vvhh published
Jan 9, 2026 by oliverguentherCritical -
Missing permission check for deletion of BoardsGHSA-frrc-prg7-xq7h published
Feb 16, 2026 by oliverguentherModerate -
Users with read only permissions could modify order in boards and remove items from boardsGHSA-2mv7-3f2v-2fg9 published
Feb 16, 2026 by oliverguentherModerate -
Insecure Direct Object Reference in MeetingsGHSA-fq4m-pxvm-8x2j published
Jan 9, 2026 by oliverguentherModerate -
No protection against brute-force attacks in the Change Password functionGHSA-93x5-prx9-x239 published
Jan 9, 2026 by oliverguentherModerate -
User enumeration via the change password functionGHSA-q7qp-p3vw-j2fh published
Jan 9, 2026 by oliverguentherModerate
Learn more about advisories related to opf/openproject in the GitHub Advisory Database