From 58d67ab81f02a40203f127f541c37f90d4d6f6ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 10:04:29 +0200 Subject: [PATCH 1/5] Update security fixes --- docs/release-notes/17-4-1/README.md | 92 +++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 docs/release-notes/17-4-1/README.md diff --git a/docs/release-notes/17-4-1/README.md b/docs/release-notes/17-4-1/README.md new file mode 100644 index 00000000000..4122ed32c8d --- /dev/null +++ b/docs/release-notes/17-4-1/README.md @@ -0,0 +1,92 @@ +--- +title: OpenProject 17.4.1 +sidebar_navigation: + title: 17.4.1 +release_version: 17.4.1 +release_date: 2026-06-08 +--- + +# OpenProject 17.4.1 + +Release date: 2026-06-08 + +We released [OpenProject 17.4.1](https://community.openproject.org/versions/2301). +The release contains several bug fixes and we recommend updating to the newest version. +Below you will find a complete list of all changes and bug fixes. + +## Security fixes + +### CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-f2rx-x2qj-2hgj](https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj) + +### CVE-2026-49355 - Private work package data disclosure through single meeting agenda item API +`GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-g387-6rm2-xw88](https://github.com/opf/openproject/security/advisories/GHSA-g387-6rm2-xw88) + +### GHSA-3vpx-94qx-xpw6 - IDOR through /projects//settings/project_storages/ via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources +A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's `project_folder_id` into the attacker's `Storages::ProjectStorage` row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-3vpx-94qx-xpw6](https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6) + +### GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]" +Turbo Drive auto-injects CSRF tokens (from ``) on forms injected via the XSS's `append` Turbo Stream action. A second action, `dispatch_event` with `name="submit"`, auto-submits the form with no victim interaction beyond viewing the work package, resulting in a CSRF attack + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-6crw-7f5r-4qj9](https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9) + +### GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality +OpenProject baseline comparison allows callers to request historic work-package attributes using the `timestamps` parameter. + +The timestamp parser accepts a relative date keyword on the first line because its regular expression uses line anchors. The parser validates the input, but the original multi-line string is kept and later interpolated into a raw SQL `CASE ... THEN ''` expression. + +An authenticated user who can save a query can persist a timestamp array value containing literal commas and trigger a top-level data-modifying CTE. This gives the attacker a generic database write primitive as the OpenProject application database role. + +The demonstrated impact is administrator privilege escalation: the attacker uses that write primitive to update their own account record, setting the account's administrator flag to true. The same injection also allows in-band data disclosure through work-package timestamp metadata. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-98vw-2r87-fx2r](https://github.com/opf/openproject/security/advisories/GHSA-98vw-2r87-fx2r) + +### GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage..httpx_access_token" leads to Sensitive Data Exposure +OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth `access_token` plaintext to `Rails.cache` under the deterministic key `storage..httpx_access_token`, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (`file_store`, `memcache`, `redis`) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous `get` over the memcached binary protocol (or the equivalent against Redis) + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-h83w-5q5x-pq27](https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27) + +### GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description" +The HTML sanitizer grants `` elements unrestricted `data-*` attributes via `:data` wildcard. An attacker injects `data-controller="poll-for-changes"` into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to `renderStreamMessage()`. This executes arbitrary Turbo Stream actions — including `redirect_to` — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-q33w-f822-hg8x](https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x) + +### GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE) +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-qj96-f42f-6336](https://github.com/opf/openproject/security/advisories/GHSA-qj96-f42f-6336) + + + + +## Bug fixes and changes + + + + +- Bugfix: Migration 20250929070310 failing due to update code failing on not-yet fully migrated schema \[[#75286](https://community.openproject.org/wp/75286)\] + + + + +## Contributions +A big thanks to our Community members for reporting bugs and helping us identify and provide fixes. +This release, special thanks for reporting and finding bugs go to Alexander Aleschenko. From 0e0be3c331080ba450a66e83608209a2599a75e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 10:04:30 +0200 Subject: [PATCH 2/5] Add release-notes file --- docs/release-notes/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md index 19b3a23a073..80211c24b65 100644 --- a/docs/release-notes/README.md +++ b/docs/release-notes/README.md @@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases +## 17.4.1 + +Release date: 2026-06-08 + +[Release Notes](17-4-1/) + + ## 17.3.3 Release date: 2026-06-08 From b01a19634bd1d99de5a060e10e34d35785b1be35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 10:04:31 +0200 Subject: [PATCH 3/5] Update hocuspocus image to openproject/hocuspocus:17.4.1 --- docker/prod/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index 1e6d1c509ee..66b589d5ba6 100755 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -141,7 +141,7 @@ ENV PGDATA=/var/openproject/pgdata COPY --from=openproject/gosu /go/bin/gosu /usr/local/bin/gosu RUN chmod +x /usr/local/bin/gosu && gosu nobody true -COPY --from=openproject/hocuspocus:17.4.0 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus +COPY --from=openproject/hocuspocus:17.4.1 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus # Keep node/npm in all-in-one for bundled hocuspocus even when BIM support is disabled. COPY --from=build-base /usr/local/bin/node /usr/local/bin/node COPY --from=build-base /usr/local/lib/node_modules /usr/local/lib/node_modules From 8203fc2286fd48d7d72f52b3c4a2487f96fcea28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 10:04:31 +0200 Subject: [PATCH 4/5] Update publiccode.yml --- publiccode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index d76300c1325..a79f8fbfc91 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -7,8 +7,8 @@ name: OpenProject applicationSuite: openDesk url: 'https://github.com/opf/openproject' roadmap: 'https://www.openproject.org/roadmap' -releaseDate: '2026-05-13' -softwareVersion: '17.4.0' +releaseDate: '2026-06-08' +softwareVersion: '17.4.1' developmentStatus: stable softwareType: standalone/web logo: 'publiccode_logo.svg' From 1451d2c3c490b8c6fdd0dfeea2e6c13123afae2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 10:04:34 +0200 Subject: [PATCH 5/5] Bumped version to 17.4.2 [ci skip] --- lib/open_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb index dba81e17a42..7c6533fe732 100644 --- a/lib/open_project/version.rb +++ b/lib/open_project/version.rb @@ -33,7 +33,7 @@ module OpenProject module VERSION # :nodoc: MAJOR = 17 MINOR = 4 - PATCH = 1 + PATCH = 2 class << self def revision