From 96d594727903bbe96043ef17a308dcb35f4b10fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 09:59:54 +0200 Subject: [PATCH 1/5] Update security fixes --- docs/release-notes/17-3-3/README.md | 80 +++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 docs/release-notes/17-3-3/README.md diff --git a/docs/release-notes/17-3-3/README.md b/docs/release-notes/17-3-3/README.md new file mode 100644 index 00000000000..4b185833b06 --- /dev/null +++ b/docs/release-notes/17-3-3/README.md @@ -0,0 +1,80 @@ +--- +title: OpenProject 17.3.3 +sidebar_navigation: + title: 17.3.3 +release_version: 17.3.3 +release_date: 2026-06-08 +--- + +# OpenProject 17.3.3 + +Release date: 2026-06-08 + +We released [OpenProject 17.3.3](https://community.openproject.org/versions/2299). +The release contains several bug fixes and we recommend updating to the newest version. +Below you will find a complete list of all changes and bug fixes. + +## Security fixes + +### CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-f2rx-x2qj-2hgj](https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj) + +### GHSA-3vpx-94qx-xpw6 - IDOR through /projects//settings/project_storages/ via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources +A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's `project_folder_id` into the attacker's `Storages::ProjectStorage` row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-3vpx-94qx-xpw6](https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6) + +### GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]" +Turbo Drive auto-injects CSRF tokens (from ``) on forms injected via the XSS's `append` Turbo Stream action. A second action, `dispatch_event` with `name="submit"`, auto-submits the form with no victim interaction beyond viewing the work package, resulting in a CSRF attack + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-6crw-7f5r-4qj9](https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9) + +### GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality +OpenProject baseline comparison allows callers to request historic work-package attributes using the `timestamps` parameter. + +The timestamp parser accepts a relative date keyword on the first line because its regular expression uses line anchors. The parser validates the input, but the original multi-line string is kept and later interpolated into a raw SQL `CASE ... THEN ''` expression. + +An authenticated user who can save a query can persist a timestamp array value containing literal commas and trigger a top-level data-modifying CTE. This gives the attacker a generic database write primitive as the OpenProject application database role. + +The demonstrated impact is administrator privilege escalation: the attacker uses that write primitive to update their own account record, setting the account's administrator flag to true. The same injection also allows in-band data disclosure through work-package timestamp metadata. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-98vw-2r87-fx2r](https://github.com/opf/openproject/security/advisories/GHSA-98vw-2r87-fx2r) + +### GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage..httpx_access_token" leads to Sensitive Data Exposure +OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth `access_token` plaintext to `Rails.cache` under the deterministic key `storage..httpx_access_token`, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (`file_store`, `memcache`, `redis`) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous `get` over the memcached binary protocol (or the equivalent against Redis) + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-h83w-5q5x-pq27](https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27) + +### GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description" +The HTML sanitizer grants `` elements unrestricted `data-*` attributes via `:data` wildcard. An attacker injects `data-controller="poll-for-changes"` into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to `renderStreamMessage()`. This executes arbitrary Turbo Stream actions — including `redirect_to` — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. + +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-q33w-f822-hg8x](https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x) + +### GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE) +This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. + +For more information, please see the [GitHub advisory #GHSA-qj96-f42f-6336](https://github.com/opf/openproject/security/advisories/GHSA-qj96-f42f-6336) + + + + +## Bug fixes and changes + + + + + + + From 667006bfc541e7715f2bdd1064cc8b3ef8bd3fd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 09:59:55 +0200 Subject: [PATCH 2/5] Add release-notes file --- docs/release-notes/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md index 1e7f36f8c1e..7e15b7308c4 100644 --- a/docs/release-notes/README.md +++ b/docs/release-notes/README.md @@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases +## 17.3.3 + +Release date: 2026-06-08 + +[Release Notes](17-3-3/) + + ## 17.3.2 Release date: 2026-05-13 From b6bd1c3d7b4cb0d9d0a402bb479d7fcaf071eed9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 09:59:57 +0200 Subject: [PATCH 3/5] Update hocuspocus image to openproject/hocuspocus:17.3.3 --- docker/prod/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index c6144a26339..44bab1d60b9 100755 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -141,7 +141,7 @@ ENV PGDATA=/var/openproject/pgdata COPY --from=openproject/gosu /go/bin/gosu /usr/local/bin/gosu RUN chmod +x /usr/local/bin/gosu && gosu nobody true -COPY --from=openproject/hocuspocus:17.3.2 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus +COPY --from=openproject/hocuspocus:17.3.3 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus # Keep node/npm in all-in-one for bundled hocuspocus even when BIM support is disabled. COPY --from=build-base /usr/local/bin/node /usr/local/bin/node COPY --from=build-base /usr/local/lib/node_modules /usr/local/lib/node_modules From 5ee515c5c80c3aaf1e7527f63e4e69798aef1b29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 09:59:57 +0200 Subject: [PATCH 4/5] Update publiccode.yml --- publiccode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index c63a0fc2f8c..27fdcd10f82 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -7,8 +7,8 @@ name: OpenProject applicationSuite: openDesk url: 'https://github.com/opf/openproject' roadmap: 'https://www.openproject.org/roadmap' -releaseDate: '2026-05-13' -softwareVersion: '17.3.2' +releaseDate: '2026-06-08' +softwareVersion: '17.3.3' developmentStatus: stable softwareType: standalone/web logo: 'publiccode_logo.svg' From 769063cf4b1375f01f3e60029177171ebcc0a910 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 8 Jun 2026 09:59:59 +0200 Subject: [PATCH 5/5] Bumped version to 17.3.4 [ci skip] --- lib/open_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb index 06123b70f5f..9dbcb9768d2 100644 --- a/lib/open_project/version.rb +++ b/lib/open_project/version.rb @@ -33,7 +33,7 @@ module OpenProject module VERSION # :nodoc: MAJOR = 17 MINOR = 3 - PATCH = 3 + PATCH = 4 class << self def revision