Skip to main content

Openproject

54 CVEs product

Monthly

CVE-2026-44733 MEDIUM PATCH This Month

Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, when chained with a session-takeover primitive, it converts transient access into persistent account control.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-44731 MEDIUM PATCH This Month

User account enumeration in OpenProject's meetings filter feature allows authenticated attackers to probe arbitrary user IDs and, by observing differences in server responses, determine whether each ID corresponds to a valid account and retrieve the associated user's full name. All versions prior to 17.3.2 and 17.4.0 are affected. No public exploit code or active exploitation has been identified at time of analysis, though the low-complexity attack path makes this straightforward to weaponize for reconnaissance.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44732 MEDIUM PATCH This Month

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a `project_id` attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the `:manage_documents` permission check entirely. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the attack requires only a valid user session and standard HTTP tooling.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44734 MEDIUM PATCH This Month

Missing authorization in OpenProject's CostReportsController allows any authenticated user to rename or overwrite the filter and grouping configuration of any Public cost report system-wide, bypassing ownership checks entirely. All OpenProject deployments running versions prior to 17.3.2 and 17.4.0 are affected. An attacker with only a low-privilege account who enumerates or guesses a public report's numeric ID can silently corrupt shared cost reporting configurations with no warning to the report's owner. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-44735 MEDIUM PATCH This Month

Incorrect authorization in OpenProject's REST API allows authenticated project members to harvest confidential work package metadata they are not entitled to view. The `GET /api/v3/shares` endpoint enforces access control only at the project level - not at the individual work package level - meaning any holder of the `view_shared_work_packages` permission can retrieve share records for every work package in a project, including confidential titles, share recipient identities, and assigned role levels. No public exploit is identified at time of analysis; vendor-released patches exist in versions 17.3.2 and 17.4.0.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-44696 MEDIUM PATCH This Month

CSS injection in OpenProject's rich text rendering pipeline prior to version 17.4.0 allows any authenticated user with write access to inject arbitrary CSS into formattable text fields (work package descriptions, comments, project descriptions, news). The misconfigured Sanitize::Config::RELAXED[:css] setting permits all CSS properties on permitted HTML elements, enabling UI redressing, phishing overlays, and potential CSS-based side-channel data exfiltration when a victim views the malicious content. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vendor-released fix is available in 17.4.0.

XSS Openproject
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-49355 MEDIUM PATCH This Month

The meeting agenda items REST API in OpenProject before 17.4.0 leaks private work package data to authenticated users who lack project-level access. When a meeting agenda item is linked to a work package belonging to a private or inaccessible project, the GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id endpoint returns that work package's confidential data in its response, silently bypassing project-level authorization checks. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 17.4.0.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44736 MEDIUM PATCH This Month

Unauthorized information disclosure in OpenProject before 17.4.0 allows any authenticated user to retrieve the subjects (titles) of work packages they have been explicitly denied access to, bypassing project-level visibility controls. The flaw exists in the GET /api/v3/relations REST API endpoint, where supplying arbitrary work package IDs to the involved, fromId, or toId filter parameters circumvents the Relation.visible scope due to a defective performance optimization in RelationQuery. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the attack is trivially executable by any platform user with valid credentials, making it a meaningful risk in deployments handling sensitive or confidential project data.

Information Disclosure Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-46386 CRITICAL PATCH Act Now

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardcoded Rails secret (ENV SECRET_KEY_BASE=OVERWRITE_ME). Because the application uses cookies_serializer = :marshal, any logged-in user who knows this deterministic key can forge a signed cookie containing a malicious Marshal payload that is deserialized when reaching the /my/two_factor_devices cookie reader, yielding code execution on the server (CVSS 9.9, scope-changed). At the time of analysis there is no public exploit identified and the issue is not in CISA KEV, but the predictability of the default key makes exploitation straightforward for anyone running an unmodified image.

Deserialization Docker Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-52780 CRITICAL PATCH Act Now

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker with adjacent-network access and no authentication (CVSS:3.1 AV:A/PR:N) to corrupt cached entries and ultimately execute arbitrary code on the server. The CVSS 9.6 score reflects a scope change (S:C) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Openproject
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-52779 MEDIUM PATCH This Month

Cross-project IDOR in OpenProject's Calendar and Team Planner modules allows an authenticated low-privileged user with management rights in one project to delete public or shared Calendar and Team Planner Query views belonging to entirely separate projects on the same instance. The authorization context is established using :project_id from the URL (Project A), but the targeted Query object is resolved independently by :id through Query.visible(current_user), with no check that the loaded Query belongs to the authorized project - enabling cross-project privilege misuse. Versions prior to 17.3.3 and 17.4.1 are affected; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-47193 HIGH PATCH This Week

Information disclosure in OpenProject before 17.3.3 and 17.4.1 lets remote attackers read hidden historical field values through the journal diff endpoint, which fails to enforce object- and field-level visibility checks. The flaw (CWE-200) carries a CVSS 7.5 driven entirely by high confidentiality impact, exposing prior values of work-package fields that should be restricted. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-52781 MEDIUM PATCH This Month

Stored XSS in OpenProject's HTML sanitizer allows authenticated project contributors to execute arbitrary Turbo Stream actions - including forced redirects - in every other user's authenticated browser session. The sanitizer's `:data` wildcard for `<macro>` elements permits injection of `data-controller` attributes that Stimulus.js silently mounts, chaining an attacker-uploaded attachment through `renderStreamMessage()` to achieve cross-user session manipulation without victim interaction beyond viewing the work package. Patch-confirmed by vendor GitHub Security Advisory GHSA-q33w-f822-hg8x; no public exploit identified at time of analysis.

XSS Openproject
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-52782 CRITICAL PATCH Act Now

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. CVSS is 9.9 and the issue carries a scope change, but there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Nextcloud Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-52783 HIGH PATCH This Week

Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Redis Microsoft Information Disclosure Openproject
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-52784 HIGH PATCH This Week

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. Both the 17.3.x and 17.4.x maintenance lines are affected, with fixes shipped in 17.3.3 and 17.4.1.

CSRF Openproject
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52785 CRITICAL PATCH Act Now

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user inject SQL through the timestamps parameter used to request historic work-package attributes, affecting all versions prior to 17.3.3 and 17.4.1. Rated CVSS 9.9 with a changed scope, it can expose or alter database contents beyond the user's normal authorization. No public exploit identified at time of analysis; the issue is fixed in 17.3.3 and 17.4.1.

SQLi Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-40896 MEDIUM PATCH This Month

OpenProject versions prior to 17.3.0 allow authenticated users with manage_agendas permission in any single project to inject malicious agenda items into meetings across all other projects on the instance, including projects to which the attacker has no access. The vulnerability requires only valid project membership with limited permissions and no knowledge of target meetings, enabling an attacker to systematically compromise meeting integrity across an entire OpenProject deployment. No public exploit code has been identified, and the vendor has released patched version 17.3.0 addressing this privilege escalation flaw.

Code Injection Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33667 HIGH PATCH This Week

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-34717 CRITICAL PATCH Act Now

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via the =n operator. Affects all versions prior to 17.2.3. Attack complexity is low with no user interaction required, enabling authenticated users to escalate privileges, modify data integrity, and potentially compromise availability across scope boundaries. Vendor-released patch confirms fix in version 17.2.3. EPSS score of 0.04% (13th percentile) indicates low probability of mass exploitation, though the CVSS 9.9 critical rating reflects severe potential impact in targeted scenarios. No CISA KEV listing or public exploit code identified at time of analysis.

SQLi Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-32703 CRITICAL PATCH Act Now

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. This affects OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, with a CVSS score of 9.1 indicating critical severity.

XSS Openproject
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-32698 CRITICAL PATCH Act Now

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.

SQLi Openproject
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-31974 LOW Monitor

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create web...

SSRF Openproject
NVD GitHub VulDB
CVSS 3.1
3.0
EPSS
0.0%
CVE-2026-30239 MEDIUM This Month

Unauthorized budget assignment deletion in OpenProject prior to 17.2.0 allows any authenticated user to remove work package budget associations due to insufficient authorization checks being performed after the deletion operation. This improper access control enables users without proper permissions to manipulate budget data, potentially disrupting project financial tracking and resource allocation. A patch is available in version 17.2.0 and later.

Authentication Bypass Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30236 MEDIUM This Month

OpenProject prior to 17.2.0 fails to validate project membership when calculating labor costs in budget planning, allowing authenticated users to enumerate non-member employees' default billing rates. This exposure occurs both when editing budgets directly and through the cost preview calculation endpoint, potentially revealing sensitive salary information to unauthorized project users.

Authentication Bypass Openproject
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-30235 MEDIUM This Month

web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).

XSS Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-30234 MEDIUM This Month

OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.

Path Traversal Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27723 MEDIUM This Month

Unauthorized wiki page creation in OpenProject prior to versions 17.0.5 and 17.1.2 allows authenticated attackers to bypass project access controls and create pages in projects they lack permission to access. The vulnerability stems from improper authentication validation on wiki page creation requests, enabling an attacker to modify project documentation without proper authorization. No patch is currently available for affected versions.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24777 MEDIUM This Month

Insufficient permission validation in OpenProject prior to 17.0.2 allows users with the Manage Users permission to lock and unlock application administrators, a capability that should be restricted to administrators only. An authenticated attacker with user management privileges can exploit this to lock out admin accounts and potentially disrupt system administration capabilities. No patch is currently available for affected versions.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-25764 LOW Monitor

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. [CVSS 3.5 LOW]

XSS Openproject
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-25763 CRITICAL Act Now

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the project management server.

RCE Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-24776 MEDIUM This Month

OpenProject versions prior to 17.0.2 fail to validate meeting section ownership during drag-and-drop operations, allowing authenticated users to inject agenda items into unrelated meetings. While attackers cannot access unauthorized meeting content, they can add arbitrary agenda items to other meetings to cause confusion or disrupt meeting organization. A patch is available in version 17.0.2.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24775 MEDIUM PATCH This Month

Insufficient input validation in OpenProject's BlockNote editor extension allows authenticated users to craft malicious documents containing relative links that trigger arbitrary GET requests to any URL within the OpenProject instance when opened. An attacker with document creation privileges can exploit this to access sensitive information or perform unauthorized actions on behalf of other users. A patch is available in OpenProject 17.0.2 and op-blocknote-extensions 0.0.22.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-24772 HIGH This Week

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication tokens by exploiting insufficient validation of backend URLs in the real-time collaboration synchronization server. An attacker with valid credentials could redirect the synchronization server to a controlled endpoint, forcing it to send the decrypted token and enabling unauthorized access to document collaboration features. No patch is currently available for this high-severity vulnerability affecting authenticated users.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-24685 HIGH This Week

Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse permissions to inject malicious git command options via a crafted rev parameter, enabling creation or overwriting of arbitrary files with the privileges of the OpenProject process. An attacker can exploit the `/projects/:project_id/repository/diff.diff` endpoint to write git show output to attacker-controlled file paths on the server. No patch is currently available for this high-severity vulnerability affecting the open-source project management platform.

Denial Of Service Openproject
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23721 MEDIUM This Month

OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23646 MEDIUM This Month

OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23625 HIGH This Week

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.

XSS Openproject
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-22605 MEDIUM PATCH This Month

OpenProject versions before 16.6.3 allow authenticated users with View Meetings permission to bypass access controls and view meeting details from projects they lack authorization to access. This permission-based access control flaw enables information disclosure across project boundaries for low-privileged users. A patch is available in version 16.6.3 and later.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22604 MEDIUM PATCH This Month

OpenProject is an open-source, web-based project management software. [CVSS 5.3 MEDIUM]

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22603 MEDIUM PATCH This Month

OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.

Privilege Escalation Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22602 LOW PATCH Monitor

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. [CVSS 3.5 LOW]

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-22601 HIGH This Week

Arbitrary command execution in OpenProject versions 16.6.1 and below allows authenticated administrators to execute system commands by manipulating the sendmail binary path configuration and triggering a test email function. An admin-level attacker can leverage this to achieve full system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available, and exploitation requires high privileges but no user interaction.

Command Injection RCE Openproject
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-22600 CRITICAL PATCH Act Now

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF export feature. Authenticated users can read server files by uploading malicious SVGs disguised as PNGs. Patch available.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-24892 LOW PATCH Monitor

OpenProject is open-source, web-based project management software. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openproject
NVD GitHub
CVSS 3.1
3.5
EPSS
1.3%
CVE-2024-41801 MEDIUM PATCH This Month

OpenProject is open source project management software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Openproject
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-35224 MEDIUM PATCH This Month

OpenProject is the leading open source project management software. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Openproject
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-33960 HIGH POC PATCH This Week

OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-31140 MEDIUM POC PATCH This Month

OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-43830 HIGH PATCH This Week

OpenProject is a web-based project management software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Openproject
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-32763 MEDIUM PATCH This Month

OpenProject is open-source, web-based project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-17092 MEDIUM This Month

An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Openproject
NVD
CVSS 3.1
6.1
EPSS
1.7%
CVE-2019-11600 HIGH POC THREAT This Week

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Openproject
NVD Exploit-DB
CVSS 3.0
8.1
EPSS
80.0%
CVE-2017-11667 HIGH PATCH This Week

OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Openproject
NVD GitHub
CVSS 3.0
8.1
EPSS
0.8%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Password validation bypass in OpenProject's REST API allows an attacker who has already seized a valid user session to change that account's password without supplying the current password, exploiting CWE-620 (Unverified Password Change) via a crafted PATCH request to /api/v3/users/me. Affected versions are all OpenProject releases prior to 17.3.2 and 17.4.0 (CPE cpe:2.3:a:opf:openproject:*:*:*:*:*:*:*:*). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, when chained with a session-takeover primitive, it converts transient access into persistent account control.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

User account enumeration in OpenProject's meetings filter feature allows authenticated attackers to probe arbitrary user IDs and, by observing differences in server responses, determine whether each ID corresponds to a valid account and retrieve the associated user's full name. All versions prior to 17.3.2 and 17.4.0 are affected. No public exploit code or active exploitation has been identified at time of analysis, though the low-complexity attack path makes this straightforward to weaponize for reconnaissance.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a `project_id` attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the `:manage_documents` permission check entirely. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the attack requires only a valid user session and standard HTTP tooling.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization in OpenProject's CostReportsController allows any authenticated user to rename or overwrite the filter and grouping configuration of any Public cost report system-wide, bypassing ownership checks entirely. All OpenProject deployments running versions prior to 17.3.2 and 17.4.0 are affected. An attacker with only a low-privilege account who enumerates or guesses a public report's numeric ID can silently corrupt shared cost reporting configurations with no warning to the report's owner. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Incorrect authorization in OpenProject's REST API allows authenticated project members to harvest confidential work package metadata they are not entitled to view. The `GET /api/v3/shares` endpoint enforces access control only at the project level - not at the individual work package level - meaning any holder of the `view_shared_work_packages` permission can retrieve share records for every work package in a project, including confidential titles, share recipient identities, and assigned role levels. No public exploit is identified at time of analysis; vendor-released patches exist in versions 17.3.2 and 17.4.0.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

CSS injection in OpenProject's rich text rendering pipeline prior to version 17.4.0 allows any authenticated user with write access to inject arbitrary CSS into formattable text fields (work package descriptions, comments, project descriptions, news). The misconfigured Sanitize::Config::RELAXED[:css] setting permits all CSS properties on permitted HTML elements, enabling UI redressing, phishing overlays, and potential CSS-based side-channel data exfiltration when a victim views the malicious content. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vendor-released fix is available in 17.4.0.

XSS Openproject
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The meeting agenda items REST API in OpenProject before 17.4.0 leaks private work package data to authenticated users who lack project-level access. When a meeting agenda item is linked to a work package belonging to a private or inaccessible project, the GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id endpoint returns that work package's confidential data in its response, silently bypassing project-level authorization checks. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 17.4.0.

Information Disclosure Openproject
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthorized information disclosure in OpenProject before 17.4.0 allows any authenticated user to retrieve the subjects (titles) of work packages they have been explicitly denied access to, bypassing project-level visibility controls. The flaw exists in the GET /api/v3/relations REST API endpoint, where supplying arbitrary work package IDs to the involved, fromId, or toId filter parameters circumvents the Relation.visible scope due to a defective performance optimization in RelationQuery. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the attack is trivially executable by any platform user with valid credentials, making it a meaningful risk in deployments handling sensitive or confidential project data.

Information Disclosure Openproject
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardcoded Rails secret (ENV SECRET_KEY_BASE=OVERWRITE_ME). Because the application uses cookies_serializer = :marshal, any logged-in user who knows this deterministic key can forge a signed cookie containing a malicious Marshal payload that is deserialized when reaching the /my/two_factor_devices cookie reader, yielding code execution on the server (CVSS 9.9, scope-changed). At the time of analysis there is no public exploit identified and the issue is not in CISA KEV, but the predictability of the default key makes exploitation straightforward for anyone running an unmodified image.

Deserialization Docker Openproject
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker with adjacent-network access and no authentication (CVSS:3.1 AV:A/PR:N) to corrupt cached entries and ultimately execute arbitrary code on the server. The CVSS 9.6 score reflects a scope change (S:C) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Openproject
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-project IDOR in OpenProject's Calendar and Team Planner modules allows an authenticated low-privileged user with management rights in one project to delete public or shared Calendar and Team Planner Query views belonging to entirely separate projects on the same instance. The authorization context is established using :project_id from the URL (Project A), but the targeted Query object is resolved independently by :id through Query.visible(current_user), with no check that the loaded Query belongs to the authorized project - enabling cross-project privilege misuse. Versions prior to 17.3.3 and 17.4.1 are affected; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in OpenProject before 17.3.3 and 17.4.1 lets remote attackers read hidden historical field values through the journal diff endpoint, which fails to enforce object- and field-level visibility checks. The flaw (CWE-200) carries a CVSS 7.5 driven entirely by high confidentiality impact, exposing prior values of work-package fields that should be restricted. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Openproject
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored XSS in OpenProject's HTML sanitizer allows authenticated project contributors to execute arbitrary Turbo Stream actions - including forced redirects - in every other user's authenticated browser session. The sanitizer's `:data` wildcard for `<macro>` elements permits injection of `data-controller` attributes that Stimulus.js silently mounts, chaining an attacker-uploaded attachment through `renderStreamMessage()` to achieve cross-user session manipulation without victim interaction beyond viewing the work package. Patch-confirmed by vendor GitHub Security Advisory GHSA-q33w-f822-hg8x; no public exploit identified at time of analysis.

XSS Openproject
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. CVSS is 9.9 and the issue carries a scope change, but there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Nextcloud Openproject
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Redis Microsoft Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. Both the 17.3.x and 17.4.x maintenance lines are affected, with fixes shipped in 17.3.3 and 17.4.1.

CSRF Openproject
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user inject SQL through the timestamps parameter used to request historic work-package attributes, affecting all versions prior to 17.3.3 and 17.4.1. Rated CVSS 9.9 with a changed scope, it can expose or alter database contents beyond the user's normal authorization. No public exploit identified at time of analysis; the issue is fixed in 17.3.3 and 17.4.1.

SQLi Openproject
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenProject versions prior to 17.3.0 allow authenticated users with manage_agendas permission in any single project to inject malicious agenda items into meetings across all other projects on the instance, including projects to which the attacker has no access. The vulnerability requires only valid project membership with limited permissions and no knowledge of target meetings, enabling an attacker to systematically compromise meeting integrity across an entire OpenProject deployment. No public exploit code has been identified, and the vendor has released patched version 17.3.0 addressing this privilege escalation flaw.

Code Injection Openproject
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via the =n operator. Affects all versions prior to 17.2.3. Attack complexity is low with no user interaction required, enabling authenticated users to escalate privileges, modify data integrity, and potentially compromise availability across scope boundaries. Vendor-released patch confirms fix in version 17.2.3. EPSS score of 0.04% (13th percentile) indicates low probability of mass exploitation, though the CVSS 9.9 critical rating reflects severe potential impact in targeted scenarios. No CISA KEV listing or public exploit code identified at time of analysis.

SQLi Openproject
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. This affects OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, with a CVSS score of 9.1 indicating critical severity.

XSS Openproject
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.

SQLi Openproject
NVD GitHub VulDB
EPSS 0% CVSS 3.0
LOW Monitor

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create web...

SSRF Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized budget assignment deletion in OpenProject prior to 17.2.0 allows any authenticated user to remove work package budget associations due to insufficient authorization checks being performed after the deletion operation. This improper access control enables users without proper permissions to manipulate budget data, potentially disrupting project financial tracking and resource allocation. A patch is available in version 17.2.0 and later.

Authentication Bypass Openproject
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

OpenProject prior to 17.2.0 fails to validate project membership when calculating labor costs in budget planning, allowing authenticated users to enumerate non-member employees' default billing rates. This exposure occurs both when editing budgets directly and through the cost preview calculation endpoint, potentially revealing sensitive salary information to unauthorized project users.

Authentication Bypass Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).

XSS Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.

Path Traversal Openproject
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized wiki page creation in OpenProject prior to versions 17.0.5 and 17.1.2 allows authenticated attackers to bypass project access controls and create pages in projects they lack permission to access. The vulnerability stems from improper authentication validation on wiki page creation requests, enabling an attacker to modify project documentation without proper authorization. No patch is currently available for affected versions.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

Insufficient permission validation in OpenProject prior to 17.0.2 allows users with the Manage Users permission to lock and unlock application administrators, a capability that should be restricted to administrators only. An authenticated attacker with user management privileges can exploit this to lock out admin accounts and potentially disrupt system administration capabilities. No patch is currently available for affected versions.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 3.5
LOW Monitor

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. [CVSS 3.5 LOW]

XSS Openproject
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the project management server.

RCE Openproject
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

OpenProject versions prior to 17.0.2 fail to validate meeting section ownership during drag-and-drop operations, allowing authenticated users to inject agenda items into unrelated meetings. While attackers cannot access unauthorized meeting content, they can add arbitrary agenda items to other meetings to cause confusion or disrupt meeting organization. A patch is available in version 17.0.2.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Insufficient input validation in OpenProject's BlockNote editor extension allows authenticated users to craft malicious documents containing relative links that trigger arbitrary GET requests to any URL within the OpenProject instance when opened. An attacker with document creation privileges can exploit this to access sensitive information or perform unauthorized actions on behalf of other users. A patch is available in OpenProject 17.0.2 and op-blocknote-extensions 0.0.22.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 8.9
HIGH This Week

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication tokens by exploiting insufficient validation of backend URLs in the real-time collaboration synchronization server. An attacker with valid credentials could redirect the synchronization server to a controlled endpoint, forcing it to send the decrypted token and enabling unauthorized access to document collaboration features. No patch is currently available for this high-severity vulnerability affecting authenticated users.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse permissions to inject malicious git command options via a crafted rev parameter, enabling creation or overwriting of arbitrary files with the privileges of the OpenProject process. An attacker can exploit the `/projects/:project_id/repository/diff.diff` endpoint to write git show output to attacker-controlled file paths on the server. No patch is currently available for this high-severity vulnerability affecting the open-source project management platform.

Denial Of Service Openproject
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.

Information Disclosure Openproject
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.

XSS Openproject
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

OpenProject versions before 16.6.3 allow authenticated users with View Meetings permission to bypass access controls and view meeting details from projects they lack authorization to access. This permission-based access control flaw enables information disclosure across project boundaries for low-privileged users. A patch is available in version 16.6.3 and later.

Authentication Bypass Openproject
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenProject is an open-source, web-based project management software. [CVSS 5.3 MEDIUM]

Information Disclosure Openproject
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.

Privilege Escalation Openproject
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. [CVSS 3.5 LOW]

Information Disclosure Openproject
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary command execution in OpenProject versions 16.6.1 and below allows authenticated administrators to execute system commands by manipulating the sendmail binary path configuration and triggering a test email function. An admin-level attacker can leverage this to achieve full system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available, and exploitation requires high privileges but no user interaction.

Command Injection RCE Openproject
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF export feature. Authenticated users can read server files by uploading malicious SVGs disguised as PNGs. Patch available.

Information Disclosure Openproject
NVD GitHub
EPSS 1% CVSS 3.5
LOW PATCH Monitor

OpenProject is open-source, web-based project management software. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openproject
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenProject is open source project management software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Openproject
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

OpenProject is the leading open source project management software. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Openproject
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Openproject
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Openproject
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OpenProject is a web-based project management software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Openproject
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

OpenProject is open-source, web-based project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Openproject
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM This Month

An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Openproject
NVD
EPSS 80% CVSS 8.1
HIGH POC THREAT This Week

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Openproject
NVD Exploit-DB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Openproject
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy