From d105542dfda836f0b22ee2f322dfb68800f83c7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <o.guenther@openproject.com>
Date: Wed, 10 Jun 2026 06:26:29 +0200
Subject: [PATCH] Update README with acknowledgment for SAML SSRF report

Acknowledge GitHub user for reporting SAML SSRF protection issue.
---
 docs/release-notes/17-5-0/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/release-notes/17-5-0/README.md b/docs/release-notes/17-5-0/README.md
index ea7ad3b2603..3096332a83d 100644
--- a/docs/release-notes/17-5-0/README.md
+++ b/docs/release-notes/17-5-0/README.md
@@ -158,6 +158,8 @@ In previous releases, we have introduced improved mechanisms to prevent Server-S
 In most installations, this will not require any changes.
 However, if you operate your SAML using internal IP addresses, you may need to add your IP or range to the `OPENPROJECT_SSRF_PROTECTION_IP_ALLOWLIST` configuration. Please see [the configuration guide for SSRF](https://www.openproject.org/docs/installation-and-operations/configuration/ssrf-protection/) for more information.
 
+We'd like to thank GitHub user [@aslantugay](https://github.com/aslantugay) for reporting on the SAML integration still lacking SSRF protection as part of GitHub advisory https://github.com/opf/openproject/security/advisories/GHSA-mq29-cmv3-rcmr.
+
 <!-- Remove this section if empty, add to it in pull requests linking to tickets and provide information -->
 
 <!-- BEGIN SECURITY FIXES AUTOMATED SECTION -->