OpenProject 17.2 integrates MCP Server for AI-assisted project work

Contents

The open-source project management software OpenProject is available in version 17.2. The central new feature is an MCP Server that makes project data accessible for AI systems. The release also brings reusable meeting templates, new budget widgets on the project overview, and five security fixes.

MCP Server as a Bridge to AI Systems

The MCP Server implements the Model Context Protocol and provides OpenProject's APIv3 resources as MCP-compatible endpoints. This allows AI systems such as large language models (LLMs) and other MCP clients to access project data – for example, to summarize project status or analyze dependencies between work packages. The initial set of MCP tools and resources includes entities such as Projects, Work Packages, and Users. Write access to project data is not yet provided in the current version.

Technically, the server supports session cookies and bearer tokens. For authentication, it can be connected via OAuth2, API keys, and external OpenID Connect providers; a dedicated OAuth scope "mcp" is available for this purpose. Configuration is done via an administrative interface where response formats and volumes can be set.

The feature was sponsored by Mercedes-AMG, which, according to the developers, is already actively using the MCP Server in its own OpenProject environment and participated in the requirements gathering. The MCP Server is available as an Enterprise add-on starting from the Professional Plan.

Meeting Templates and Budget Widgets

OpenProject 17.2 introduces reusable meeting templates. Administrators define templates with a predefined agenda layout that users can select when creating a meeting. The agenda is then automatically filled, standardizing and accelerating preparation. The function is available as an Enterprise add-on starting from the Basic Plan.

On the project overview, new budget widgets display planned budget, actual costs, expenditure rate, and remaining budget – including a visual breakdown by cost type and aggregation across subprojects. This requires both the Budgets and the Time & Costs modules to be activated. The widgets on the Project Overview now also support inline editing for project description and status. Additionally, optional comment fields for project attributes are included to document reasons for changes.

Accessibility and PDF Export

The team has improved accessibility: the project overview widgets are now operable via keyboard and offer improved semantics for screen readers in accordance with WCAG 2.1 AA guidelines. In the PDF export, relationships between work packages can now be displayed as tables; WebP images are also supported.

In terms of UX, OpenProject 17.2 implements the Primer Design System in further areas, including the backlog view with split-screen and drag & drop, as well as admin interfaces for custom fields, versions, and groups. A new Jira importer is in an early testing phase and is intended to import issues, comments, attachments, and structures – further functions are to follow in upcoming releases.

Five Security Vulnerabilities Closed

Version 17.2 fixes five security vulnerabilities reported through the Bug Bounty program funded by the EU Commission on YesWeHack. Among them is CVE-2026-30234, a path traversal vulnerability in the BIM-BCF-XML import, which allowed authenticated users to read arbitrary files (CVSS 6.5). CVE-2026-30239 describes a permission bypass when deleting budgets (CVSS 6.5). Further fixes concern DOM clobbering via Markdown hyperlinks (CVE-2026-30235), the leakage of global hourly rates to non-members via Labor Budgets (CVE-2026-30236), and a blind SSRF vulnerability via webhooks (CVE-2026-31974).

Just at the beginning of the year, OpenProject 17 introduced real-time collaboration in documents. The complete Release Notes list all changes in detail.

(fo)