We released OpenProject OpenProject 17.0.2.
The release contains sa security fix and several bug fixes and we strongly recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.
Security fixes
CVE-2026-24685 - Argument Injection on Repository Diff allows Arbitrary File Write and Remote Code Execution
An arbitrary file write vulnerability exists in OpenProject’s repository diff download endpoint (/projects/:project_id/repository/diff.diff) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path.
As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability.
When the user has permissions to write into the repository, they can craft a specific commit to result in a RCE with permission scope of the OpenProject application.
CVE-2026-24772 - SSRF and CSWSH in Hocuspocus Synchronization Server
To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing.
The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf.
CVE-2026-24775 - Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension
In the new editor for collaborative documents based on BlockNote we added a custom extension that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary GET requests to any URL within the OpenProject instance.