April 24, 2026
A security update is available for OpenCms: a recently identified issue has been resolved in version 21, with a patch provided for versions 11–20 to ensure continued system security.
Important security update for OpenCms
Security update
We would like to inform OpenCms users about a security issue identified with the support of a security service provider.
Under specific conditions, it was theoretically possible for unauthenticated users to inject code into the system. This issue has been fully resolved in OpenCms version 21.
For installations running OpenCms 11 to 20, a dedicated security patch is available to address this issue. Versions earlier than OpenCms 11 are not affected.
To apply the update, please download the provided patch below, extract the ZIP file and copy the included WEB-INF directory into your OpenCms web application directory (for example: /webapps/ROOT/).
The Java class file CmsGwtServiceContext.class should now be present in the WEB-INF/classes/org/opencms/gwt/ folder of your web application. Afterwards, restart your servlet container to complete the update.
We recommend applying this update as soon as possible to ensure the ongoing security of your system.
We would like to thank Security Research Labs for identifying and reporting this issue.