Openproject Security Vulnerabilities (CVEs)
Track 13 security vulnerabilities affecting Openproject products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
OpenProject versions before 17.0.2 contain a missing authorization vulnerability where users with 'Manage Users' permission can lock application admin...
Feb 9, 2026OpenProject versions before 16.6.7 and 17.0.3 contain an arbitrary file write vulnerability that can lead to remote code execution. Attackers with rep...
Feb 6, 2026OpenProject versions before 16.6.7 and 17.0.3 contain an HTML injection vulnerability in the time tracking function. An attacker with administrator pr...
Feb 6, 2026This vulnerability in OpenProject allows authenticated attackers to move meeting agenda items into different meetings they shouldn't have access to, p...
Feb 6, 2026OpenProject's synchronization server improperly validates backend URLs, allowing attackers to decrypt intercepted authentication tokens and gain unaut...
Jan 28, 2026OpenProject versions 17.0.0-17.0.1 contain a server-side request forgery (SSRF) vulnerability in the collaborative document editor. Attackers can craf...
Jan 28, 2026OpenProject versions before 16.6.6 and 17.0.2 have a command injection vulnerability that allows authenticated users with repository browsing permissi...
Jan 28, 2026OpenProject versions 16.3.0 through 16.6.4 have a stored cross-site scripting vulnerability in the Roadmap view that allows attackers to inject malici...
Jan 19, 2026OpenProject versions before 16.6.5 and 17.0.1 contain a session management vulnerability where users can delete other users' active sessions. This all...
Jan 19, 2026OpenProject versions before 17.0.1 and 16.6.5 have an information disclosure vulnerability where users with View Members permission in any project can...
Jan 19, 2026OpenProject versions before 14.3.0 are vulnerable to host header injection, allowing attackers to forge HOST headers to redirect users to malicious si...
Jul 25, 2024This vulnerability allows stored cross-site scripting (XSS) in OpenProject's Cost Report feature via misconfigured tablesorter dependency. Attackers w...
May 23, 2024OpenProject's robots.txt file publicly exposes project identifiers even when the entire instance is configured to require login. This information disc...
Jun 1, 2023Why Monitor Openproject Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 13+ known vulnerabilities affecting Openproject products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Openproject packages in under 60 seconds. No agents required - completely agentless scanning that works across Openproject deployments.
Free vulnerability database: Access detailed information about every Openproject CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Openproject CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
