LoginSign Up
← Back to all sparks
O

OpenProject

PM
Velocity7.5

Open source web-based project management software supporting classical, agile and hybrid project management approaches.

www.openproject.org

OpenProject leans into Jira migration and agile parity while absorbing a sustained bug-bounty wave

agile-toolingjira-migrationsecurity-hardeningcommunity-editionmulti-branch-maintenance
Current state
OpenProject is shipping aggressively across five maintained release branches simultaneously. 17.4 promotes the Jira Migrator out of feature-flag status with basic custom-field migration, and 17.3 reshapes the agile primitives — dedicated sprint objects, all action board types moved into the free Community edition, in-place project attribute editing, nested groups. The codebase is also absorbing a continuous stream of security disclosures (CVE-2026-44731 through -44736, GHSA-r85r, GHSA-hh5p, others) from an EU-sponsored YesWeHack bug bounty, with backported fixes landing across 16.6.x, 17.0.x, 17.1.x, 17.2.x, and 17.3.x on the same day as the headline release.
Where it's heading
The dual focus — Jira parity (custom-field migration, sprint objects, flexible backlogs) and a deliberate Community-edition expansion (all action boards now free) — reads as a coordinated squeeze on Jira during Atlassian's Cloud-only migration push. The bug-bounty volume is unusual for a project this size and suggests OpenProject has crossed into enterprise-credibility scrutiny; the response pattern — same-day backports five branches deep — shows the maintainers treating security disclosures as cross-branch events by default.
Prediction
The next minor release will likely round out the Jira Migrator — workflow and automation migration are the obvious next pieces given custom fields are now beta-complete. Continued public bounty intake will keep producing authorization and IDOR fixes; expect another coordinated cross-branch security cut within weeks.

Recent moves

  1. 8d ago

    OpenProject 17.4.0

    ⚡ SPARK

    The largest release in the current arc: Jira Migrator graduates out of feature-flag and ships basic custom-field migration as a supported path, bundled with nine coordinated security fixes from the EU-sponsored bug bounty. Together this is the dual push — Jira parity and security maturation — at full volume.

    View source ↗
  2. 8d ago

    OpenProject 17.3.2

    Same-day backport of the 17.4 security wave onto the 17.3.x branch, plus three bug fixes (large-template tagfilter performance, budget widget under many cost types, mobile-app direct-login). Reinforces the cross-branch security-cadence pattern that has defined the past month.

    View source ↗
  3. 8d ago

    OpenProject 17.2.4

    Security-only backport pushing the same CVE batch onto the 17.2.x stable branch. The simultaneous 17.4.0/17.3.2/17.2.4 cut on a single day is unusual cadence and shows the maintainers treating these disclosures as everywhere-at-once events rather than letting older lines drift.

    View source ↗
  4. 1mo ago

    OpenProject 17.3.1

    A small bug-fix point release covering six issues — UI quirks in macros, the 2FA-device-removal flow, custom-action form errors, a reload-banner scroll regression. Routine maintenance between the 17.3.0 feature drop and the 17.3.2 security cut.

    View source ↗
  5. 1mo ago

    OpenProject 17.3.0

    ⚡ SPARK

    The agile-redesign companion piece to 17.4's Jira push: sprints become first-class objects (no more reusing versions as a workaround), all action board types move into the Community edition, project attributes become in-place editable, and user groups can now nest. Together with 17.4, this defines the current trajectory.

    View source ↗
  6. 1mo ago

    OpenProject 17.1.4

    Backport of a single SQL-injection fix in the cost-reporting =n operator onto the 17.1.x branch. The CVE chain reaches back five active branches simultaneously, underscoring how broadly OpenProject is still maintaining historical lines.

    View source ↗