From 1e73323c536e66fe2843f68d234e2e75b1ab6b14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 13 May 2026 07:19:13 +0200
Subject: [PATCH 1/6] Update security fixes

---
 docs/release-notes/17-3-2/README.md | 142 ++++++++++++++++++++++++++++
 1 file changed, 142 insertions(+)
 create mode 100644 docs/release-notes/17-3-2/README.md

diff --git a/docs/release-notes/17-3-2/README.md b/docs/release-notes/17-3-2/README.md
new file mode 100644
index 00000000000..d2e0a39c2ad
--- /dev/null
+++ b/docs/release-notes/17-3-2/README.md
@@ -0,0 +1,142 @@
+---
+title: OpenProject 17.3.2
+sidebar_navigation:
+    title: 17.3.2
+release_version: 17.3.2
+release_date: 2026-05-13
+---
+
+ # OpenProject 17.3.2
+
+ Release date: 2026-05-13
+
+ We released [OpenProject 17.3.2](https://community.openproject.org/versions/2296).
+ The release contains several bug fixes and we recommend updating to the newest version.
+ Below you will find a complete list of all changes and bug fixes.
+
+<!-- BEGIN CVE AUTOMATED SECTION -->
+
+## Security fixes
+
+
+
+### GHSA-r85r-gjq2-f83r - Docker Container starts with SECRET_KEY_BASE default value
+
+When an attacker knew the secret key base that the application used to derive internal keys from, they could construct encrypted cookies that on the server side were decoded using [Object Marshalling](https://docs.ruby-lang.org/en/4.0/Marshal.html) which allowed the attacker to execute almost arbitrary ruby code within the container, up to a complete remote code execution. This was especially present in Docker containers that shipped with a default value as the secret key base, when it was not manually overwritten, as mentioned in the documentation.
+
+
+
+As a fix, the docker containers now validate that a proper `SECRET_KEY_BASE` environment variable is set Otherwise the application aborts the boot process with an error message. The documentation has been updated to make it even clearer, that the `SECRET_KEY_BASE` env variable must be set. And the decoding of the encrypted cookies has been updated to use JSON encoding instead of Object Marshalling.&nbsp;
+
+
+
+**Administrators that have not set a `SECRET_KEY_BASE` environment before need to set one now. Otherwise the application will not boot.**
+
+
+
+**This will force all users using 2 factor authentication to authenticate on their next login, even if they have saved a cookie to skip 2FA for the next 14 days.**
+
+
+
+This vulnerability was responsibly reported by GitHub user [hkolvenbach](https://github.com/hkolvenbach).
+
+
+
+For more information, please see the [GitHub advisory #GHSA-r85r-gjq2-f83r](https://github.com/opf/openproject/security/advisories/GHSA-r85r-gjq2-f83r)
+
+
+
+### CVE-2026-44731 - Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure
+
+The web application&#39;s meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user&#39;s full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response.
+
+
+
+This vulnerability was reported by user tuannq\_gg as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-x7j3-cfgf-7mc4](https://github.com/opf/openproject/security/advisories/GHSA-x7j3-cfgf-7mc4)
+
+
+
+### CVE-2026-44732 - IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of Resources
+
+OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated .
+
+
+
+During update, attacker-controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user without `:manage_documents` in the source project can move and modify foreign project documents by setting `project_id` in a single PATCH request.
+
+
+
+This vulnerability was reported by sam91281 as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-mqvv-5mvc-7pg7](https://github.com/opf/openproject/security/advisories/GHSA-mqvv-5mvc-7pg7)
+
+
+
+### CVE-2026-44733 - Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements
+
+A password validation flaw in the change password behavior allows attackers to change a user&#39;s password only with an active session takeover.
+
+
+
+<br>
+
+
+
+This vulnerability was reported by user herdiyanitdev as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-px7f-cj9f-7m4m](https://github.com/opf/openproject/security/advisories/GHSA-px7f-cj9f-7m4m)
+
+
+
+### CVE-2026-44734 - Improper Access Control on OpenProject through the POST request to /projects/[PROJECT_NAME]/cost_reports/[REPORT_ID]/rename
+
+A Missing Authorization vulnerability exists in OpenProject&#39;s CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or permission level.
+
+An attacker who discovers or guesses a public report&#39;s numeric ID can rename or overwrite its filter configuration without any warning to the report&#39;s owner.
+
+
+
+This vulnerability was reported by user herdiyanitdev as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-c767-34gh-gh2h](https://github.com/opf/openproject/security/advisories/GHSA-c767-34gh-gh2h)
+
+
+
+### CVE-2026-44735 - Shares API Information Disclosure
+
+The `GET /api/v3/shares` endpoint returns share details for ALL work packages in a project to any user with the `view_shared_work_packages` permission. The authorization check operates at the **project level** only — it does not verify the requesting user can actually view each individual shared work package.
+
+
+
+This vulnerability was reported by GitHub user [DAVIDAROCA27](https://github.com/DAVIDAROCA27).
+
+
+
+For more information, please see the [GitHub advisory #GHSA-cfg3-f34w-9xx5](https://github.com/opf/openproject/security/advisories/GHSA-cfg3-f34w-9xx5)
+
+
+<!-- END CVE AUTOMATED SECTION -->
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+- Bugfix: Performance impact of large Markdown/HTML templates caused by the tagfilter GFM extension \[[#74151](https://community.openproject.org/wp/74151)\]
+- Bugfix: Budget widget breaks when lots of cost types defined \[[#74189](https://community.openproject.org/wp/74189)\]
+- Bugfix: Direct login prevents authentication from mobile app \[[#74569](https://community.openproject.org/wp/74569)\]
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->

From 1bf42decb7089ecb6a9e0a54cc9d56a881411c05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 13 May 2026 07:19:14 +0200
Subject: [PATCH 2/6] Add release-notes file

---
 docs/release-notes/README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md
index 3f758e6149c..1e7f36f8c1e 100644
--- a/docs/release-notes/README.md
+++ b/docs/release-notes/README.md
@@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 17.3.2
+
+Release date: 2026-05-13
+
+[Release Notes](17-3-2/)
+
+
 ## 17.2.4
 
 Release date: 2026-05-13

From 6e0adc1f369ae98ed473e3b3e560ca62846360dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 13 May 2026 07:19:15 +0200
Subject: [PATCH 3/6] Update hocuspocus image to openproject/hocuspocus:17.3.2

---
 docker/prod/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile
index 2a9177b642a..c6144a26339 100755
--- a/docker/prod/Dockerfile
+++ b/docker/prod/Dockerfile
@@ -141,7 +141,7 @@ ENV PGDATA=/var/openproject/pgdata
 COPY --from=openproject/gosu /go/bin/gosu /usr/local/bin/gosu
 RUN chmod +x /usr/local/bin/gosu && gosu nobody true
 
-COPY --from=openproject/hocuspocus:17.3.1 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus
+COPY --from=openproject/hocuspocus:17.3.2 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus
 # Keep node/npm in all-in-one for bundled hocuspocus even when BIM support is disabled.
 COPY --from=build-base /usr/local/bin/node /usr/local/bin/node
 COPY --from=build-base /usr/local/lib/node_modules /usr/local/lib/node_modules

From cd0d46e68f91e27deeb1fd12511a646043612498 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 13 May 2026 07:19:16 +0200
Subject: [PATCH 4/6] Update publiccode.yml

---
 publiccode.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/publiccode.yml b/publiccode.yml
index 8d1cb870969..c63a0fc2f8c 100644
--- a/publiccode.yml
+++ b/publiccode.yml
@@ -7,8 +7,8 @@ name: OpenProject
 applicationSuite: openDesk
 url: 'https://github.com/opf/openproject'
 roadmap: 'https://www.openproject.org/roadmap'
-releaseDate: '2026-04-20'
-softwareVersion: '17.3.1'
+releaseDate: '2026-05-13'
+softwareVersion: '17.3.2'
 developmentStatus: stable
 softwareType: standalone/web
 logo: 'publiccode_logo.svg'

From d98bc94617c485f83c1c32c81ccffbae9821e731 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 13 May 2026 07:34:54 +0200
Subject: [PATCH 5/6] Force higher volume for builds

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a5d38e38ead..61f95799e85 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -130,7 +130,7 @@ jobs:
     needs:
       - setup
     runs-on:
-      labels: "runs-on=${{ github.run_id }}/ssh=false/${{ matrix.runner }}"
+      labels: "runs-on=${{ github.run_id }}/ssh=false/${{ matrix.runner }}/volume=200g"
     strategy:
       matrix:
         include:

From 929e5cac205fc3f9f143489bb02fc067044b6e4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 13 May 2026 07:19:19 +0200
Subject: [PATCH 6/6] Bumped version to 17.3.3

[ci skip]
---
 lib/open_project/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb
index 72977a83cb6..06123b70f5f 100644
--- a/lib/open_project/version.rb
+++ b/lib/open_project/version.rb
@@ -33,7 +33,7 @@ module OpenProject
   module VERSION # :nodoc:
     MAJOR = 17
     MINOR = 3
-    PATCH = 2
+    PATCH = 3
 
     class << self
       def revision