Release OpenProject 16.6.5

oliverguenther · oliverguenther · commit 99112f321595 · 2026-01-16T10:48:49.000+01:00
diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   danger:
-    if: github.repository == 'opf/openproject'
+    if: github.repository_owner == 'opf'
     runs-on: [ubuntu-latest]
     timeout-minutes: 10
     steps:
diff --git a/.github/workflows/openapi.yaml b/.github/workflows/openapi.yaml
@@ -15,7 +15,7 @@ on:
 jobs:
   api-spec:
     name: APIv3 specification (OpenAPI 3.0)
-    if: github.repository == 'opf/openproject'
+    if: github.repository_owner == 'opf'
     runs-on: [ubuntu-latest]
     steps:
     - uses: actions/checkout@v5
diff --git a/.github/workflows/packager.yml b/.github/workflows/packager.yml
@@ -1,5 +1,5 @@
 name: Package
-on: 
+on:
   push:
     branches:
       - packaging/*
@@ -57,4 +57,4 @@ jobs:
           token: ${{ secrets.PACKAGER_PUBLISH_TOKEN }}
           repository: opf/openproject
           channel: ${{ github.ref_name }}
-          file: ${{ steps.package.outputs.package_path }}
+          file: ${{ steps.package.outputs.package_path }}
diff --git a/.github/workflows/pullpreview.yml b/.github/workflows/pullpreview.yml
@@ -20,7 +20,7 @@ jobs:
       pull-requests: write # to remove labels
       statuses: write # to create commit status
 
-    if: github.repository == 'opf/openproject' && ( github.event_name == 'schedule' || github.event.label.name == 'pullpreview' || contains(github.event.pull_request.labels.*.name, 'pullpreview') )
+    if: github.repository_owner == 'opf' && ( github.event_name == 'schedule' || github.event.label.name == 'pullpreview' || contains(github.event.pull_request.labels.*.name, 'pullpreview') )
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
diff --git a/.github/workflows/test-core.yml b/.github/workflows/test-core.yml
@@ -24,7 +24,7 @@ permissions:
 jobs:
   all:
     name: Units + Features
-    if: github.repository == 'opf/openproject'
+    if: github.repository_owner == 'opf'
     runs-on:
       labels: "runs-on=${{ github.run_id }}/image=ubuntu24-full-x64/family=m7+c7+r7+i7+r8/ram=128+256/cpu=32"
     timeout-minutes: 40
diff --git a/app/controllers/my/sessions_controller.rb b/app/controllers/my/sessions_controller.rb
@@ -32,12 +32,9 @@ module My
   class SessionsController < ::ApplicationController
     before_action :require_login
     no_authorization_required! :index,
-                               :show,
                                :destroy
 
-    self._model_object = ::Sessions::UserSession
-
-    before_action :find_model_object, only: %i(show destroy)
+    before_action :load_session, only: %i(destroy)
     before_action :prevent_current_session_deletion, only: %i(destroy)
 
     layout "my"
@@ -59,8 +56,6 @@ def index
       end
     end
 
-    def show; end
-
     def destroy
       @session.delete
 
@@ -70,6 +65,10 @@ def destroy
 
     private
 
+    def load_session
+      @session = ::Sessions::UserSession.for_user(current_user).find(params[:id])
+    end
+
     def prevent_current_session_deletion
       if @session.current?(session)
         render_400 message: I18n.t("users.sessions.may_not_delete_current")
diff --git a/config/initializers/new_framework_defaults_7_0.rb b/config/initializers/new_framework_defaults_7_0.rb
@@ -145,14 +145,13 @@
 
 # https://guides.rubyonrails.org/configuring.html#config-action-dispatch-default-headers
 # Change the default headers to disable browsers' flawed legacy XSS protection.
-# Rails.application.config.action_dispatch.default_headers = {
-#   "X-Frame-Options" => "SAMEORIGIN",
-#   "X-XSS-Protection" => "0",
-#   "X-Content-Type-Options" => "nosniff",
-#   "X-Download-Options" => "noopen",
-#   "X-Permitted-Cross-Domain-Policies" => "none",
-#   "Referrer-Policy" => "strict-origin-when-cross-origin"
-# }
+Rails.application.config.action_dispatch.default_headers = {
+  "X-Frame-Options" => "SAMEORIGIN",
+  "X-Content-Type-Options" => "nosniff",
+  "X-Download-Options" => "noopen",
+  "X-Permitted-Cross-Domain-Policies" => "none",
+  "Referrer-Policy" => "strict-origin-when-cross-origin"
+}
 
 # https://guides.rubyonrails.org/configuring.html#config-active-support-cache-format-version
 # ** Please read carefully, this must be configured in config/application.rb **
diff --git a/config/routes.rb b/config/routes.rb
@@ -899,7 +899,7 @@
     get "/deletion_info" => "users#deletion_info", as: "delete_my_account_info"
     post "/oauth/revoke_application/:application_id" => "oauth/grants#revoke_application", as: "revoke_my_oauth_application"
 
-    resources :sessions, controller: "my/sessions", as: "my_sessions", only: %i[index show destroy]
+    resources :sessions, controller: "my/sessions", as: "my_sessions", only: %i[index destroy]
     resources :auto_login_tokens, controller: "my/auto_login_tokens", as: "my_auto_login_tokens", only: %i[destroy]
 
     get "/banner" => "my/enterprise_banners#show", as: "show_enterprise_banner"
diff --git a/docs/release-notes/16-6-2/README.md b/docs/release-notes/16-6-2/README.md
@@ -11,9 +11,43 @@ release_date: 2025-12-02
 Release date: 2025-12-02
 
 We released OpenProject [OpenProject 16.6.2](https://community.openproject.org/versions/2243).
-The release contains several bug fixes and we recommend updating to the newest version.
+The release contains security relevant bug fixes and we strongly urge updating to the newest version.
 Below you will find a complete list of all changes and bug fixes.
 
+The reported vulnerabilities have been reported as part of a Pentest by [Mantodea Security GmbH](https://mantodeasecurity.de/).
+Thank you for your cooperation and responsible disclosure of the vulnerabilities
+
+### CVE-2026-22601 - Code Execution in E-Mail function
+
+For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email.
+
+This vulnerability was assigned to the CVE CVE-2026-22601.
+For more information, please see the [GitHub Advisory GHSA-9vrv-7h26-c7jc)](https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc).
+
+### CVE-2026-22602 - User Enumeration via User ID
+
+A low‑privileged logged-in user can view the full names of other users. The full name corresponding to any arbitrary user ID can be retrieved via the following URL, even if the requesting account has only minimal permissions:
+
+This vulnerability was assigned to the CVE CVE-2026-22602.
+For more information, please see the [GitHub Advisory GHSA-7fvx-9h6h-g82j](https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j).
+
+
+### CVE-2026-22603 - No protection against brute-force attacks in the Change Password function
+
+OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form.
+In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls.
+
+This vulnerability was assigned to the CVE CVE-2026-22603.
+For more information, please see the [GitHub Advisory GHSA-93x5-prx9-x239](https://github.com/opf/openproject/security/advisories/GHSA-93x5-prx9-x239).
+
+### CVE-2026-22604 - User enumeration via the change password function
+
+When sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance.
+
+This vulnerability was assigned to the CVE CVE-2026-22604.
+For more information, please see the [GitHub Advisory GHSA-q7qp-p3vw-j2fh](https://github.com/opf/openproject/security/advisories/GHSA-q7qp-p3vw-j2fh).
+
+
 <!--more-->
 
 ## Bug fixes and changes
diff --git a/docs/release-notes/16-6-3/README.md b/docs/release-notes/16-6-3/README.md
@@ -11,9 +11,18 @@ release_date: 2025-12-11
 Release date: 2025-12-11
 
 We released OpenProject [OpenProject 16.6.3](https://community.openproject.org/versions/2247).
-The release contains several bug fixes and we recommend updating to the newest version.
+The release contains security relevant bug fixes and we strongly urge updating to the newest version.
 Below you will find a complete list of all changes and bug fixes.
 
+### CVE-2026-22605 - Insecure Direct Object Reference in Meetings
+
+OpenProject versions <= 16.6.2 allows users with the View Meetings permission on any project, to access meeting agenda and section titles, notes, and text outcomes of meetings that belonged to projects, the user does not have access to. Linked work packages to projects the user is not allowed to see, are not affected.
+
+This vulnerability was assigned to the CVE CVE-2026-22605.
+For more information, please see the [GitHub Advisory GHSA-fq4m-pxvm-8x2j](https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j).
+
+This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
 <!--more-->
 
 ## Bug fixes and changes
diff --git a/docs/release-notes/16-6-4/README.md b/docs/release-notes/16-6-4/README.md
@@ -11,9 +11,19 @@ release_date: 2026-01-08
 Release date: 2026-01-08
 
 We released OpenProject [OpenProject 16.6.4](https://community.openproject.org/versions/2248).
-The release contains several bug fixes and we recommend updating to the newest version.
+
+The release contains security relevant bug fixes and we strongly urge updating to the newest version.
 Below you will find a complete list of all changes and bug fixes.
 
+### CVE-2026-22600 - Arbitrary File Read via ImageMagick SVG Coder
+
+A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject < 16.6.4 . By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.)
+
+This vulnerability was assigned to the CVE CVE-2026-22605.
+For more information, please see the [GitHub Advisory GHSA-m8f2-cwpq-vvhh)](https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh).
+
+The vulnerability has been responsibly disclosed through the [YesWeHack bounty program for OpenProject](https://yeswehack.com/programs/openproject) by user [syndrome_imposter](https://yeswehack.com/hunters/syndrome-impostor). This bug bounty program is being sponsored by the European Commission.
+
 <!--more-->
 
 ## Bug fixes and changes
diff --git a/docs/release-notes/16-6-5/README.md b/docs/release-notes/16-6-5/README.md
@@ -0,0 +1,27 @@
+---
+title: OpenProject 16.6.5
+sidebar_navigation:
+    title: 16.6.5
+release_version: 16.6.5
+release_date: 2026-01-16
+---
+
+# OpenProject 16.6.5
+
+Release date: 2026-01-16
+
+We released OpenProject [OpenProject 16.6.5](https://community.openproject.org/versions/2253).
+The release contains several bug fixes and we recommend updating to the newest version.
+Below you will find a complete list of all changes and bug fixes.
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+- Bugfix: Add default framework headers removed in secure\_headers \[[#70384](https://community.openproject.org/wp/70384)\]
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->
diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md
@@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 16.6.5
+
+Release date: 2026-01-16
+
+[Release Notes](16-6-5/)
+
+
 ## 16.6.4
 
 Release date: 2026-01-08
diff --git a/lib/api/helpers/attachment_renderer.rb b/lib/api/helpers/attachment_renderer.rb
@@ -92,6 +92,9 @@ def send_attachment(attachment)
 
         content_type attachment_content_type(attachment)
         header["Content-Disposition"] = attachment.content_disposition
+        # Ensure we set nosniff on attachments served from our app
+        # so that browsers do not reinterpret the content
+        header["X-Content-Type-Options"] = "nosniff"
         env["api.format"] = :binary
         sendfile attachment.diskfile.path
       end
diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb
@@ -33,7 +33,7 @@ module OpenProject
   module VERSION # :nodoc:
     MAJOR = 16
     MINOR = 6
-    PATCH = 4
+    PATCH = 5
 
     class << self
       # Used by semver to define the special version (if any).
diff --git a/publiccode.yml b/publiccode.yml
@@ -7,8 +7,8 @@ name: OpenProject
 applicationSuite: openDesk
 url: 'https://github.com/opf/openproject'
 roadmap: 'https://www.openproject.org/roadmap'
-releaseDate: '2026-01-08'
-softwareVersion: '16.6.4'
+releaseDate: '2026-01-16'
+softwareVersion: '16.6.5'
 developmentStatus: stable
 softwareType: standalone/web
 logo: 'publiccode_logo.svg'
diff --git a/spec/controllers/my/sessions_controller_spec.rb b/spec/controllers/my/sessions_controller_spec.rb
diff --git a/spec/requests/api/v3/attachments/attachment_resource_shared_examples.rb b/spec/requests/api/v3/attachments/attachment_resource_shared_examples.rb
diff --git a/spec/requests/dynamic_content_security_policy_spec.rb b/spec/requests/dynamic_content_security_policy_spec.rb
