Update security fixes

Author: machisuji

docs/release-notes/17-2-0/README.md

@@ -16,6 +16,97 @@ release_date: 2026-03-11
 
 <!-- BEGIN CVE AUTOMATED SECTION -->
 
+## Security fixes
+
+
+
+### CVE-2026-30234 - OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR)
+
+An authenticated project member with BCF import permissions can upload a crafted `.bcf` archive where the `<Snapshot>` value in `markup.bcf` is manipulated to contain an absolute or traversal local path (for example: `/etc/passwd` or `../../../../etc/passwd`).
+
+
+
+During import, this untrusted `<Snapshot>` value is used as `file.path` during attachment processing.
+
+As a result, local filesystem content can be read outside the intended ZIP scope.
+
+
+
+This results in an **Arbitrary File Read (AFR)** within the read permissions of the OpenProject application user.
+
+
+
+This vulnerability was reported independently by users sam91281 and DQH1 as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-q8c5-vpmm-xrxv](https://github.com/opf/openproject/security/advisories/GHSA-q8c5-vpmm-xrxv)
+
+
+
+### CVE-2026-30235 - Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering
+
+This vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution.
+
+
+
+This vulnerability was reported by user frozzipies as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-9rv2-9xv5-gpq8](https://github.com/opf/openproject/security/advisories/GHSA-9rv2-9xv5-gpq8)
+
+
+
+### CVE-2026-30236 - Users that are not project members can be used to calculate Labor Budget, leaking their global hourly rate
+
+When editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user&#39;s default rate (if one was set up) to users that should only see that information for project members.
+
+
+
+Also, the endpoint that handles the pre-calculation for the frontend to display a preview of the costs, while it was being entered, did not properly validate the membership of the user as well. This also allowed to calculate costs with the default rate of non-members.
+
+
+
+This vulnerability was reported by user Thesecret2055 as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-p747-569x-3v3f](https://github.com/opf/openproject/security/advisories/GHSA-p747-569x-3v3f)
+
+
+
+### CVE-2026-30239 - Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets
+
+When budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments.
+
+
+
+This vulnerability was reported by user cavid as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-gpvh-g967-g4h8](https://github.com/opf/openproject/security/advisories/GHSA-gpvh-g967-g4h8)
+
+
+
+### CVE-2026-31974 - Blind SSRF on OpenProject instance via webhooks, and through /admin/test_email via POST request leads to internal network reconnaissance
+
+OpenProject SMTP test endpoint (POST /admin/settings/mail\_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable.
+
+
+
+Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network.
+
+
+
+This vulnerability was reported by user [drak3hft7](https://yeswehack.com/hunters/drak3hft7) and [adilburak](https://yeswehack.com/hunters/drak3hft7) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-9wr7-j98g-2jh3](https://github.com/opf/openproject/security/advisories/GHSA-9wr7-j98g-2jh3)
+
+
 <!-- END CVE AUTOMATED SECTION -->
 
 ## Important feature changes