OpenProject 17.0.7

Release date: 2026-03-31

We released OpenProject OpenProject 17.0.7. The release contains several bug fixes and we recommend updating to the newest version. Below you will find a complete list of all changes and bug fixes.

<!-- BEGIN CVE AUTOMATED SECTION -->

Security fixes

CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string

The =n operator in cost reports did not appropriately treat user input

This vulnerability was reported by user Ochk0 through a GitHub security advisory. Thank you for responsibly disclosing your findings.

For more information, please see the GitHub advisory #GHSA-5rrm-6qmq-2364

<!-- END CVE AUTOMATED SECTION --> <!--more-->

Bug fixes and changes

<!-- Warning: Anything within the below lines will be automatically removed by the release script --> <!-- BEGIN AUTOMATED SECTION --> <!-- END AUTOMATED SECTION --> <!-- Warning: Anything above this line will be automatically removed by the release script -->