Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.
Published: 2026-06-26
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cache store poisoning flaw that allows an attacker to inject malicious data into the cache, which is later interpreted as executable code by the application. This weakness leads directly to Remote Code Execution, giving an attacker full control over the affected system. The flaw is classified under CWE‑20, indicating improper input validation and lack of trust in cached data.

Affected Systems

OpenProject, versions prior to 17.3.3 and 17.4.1, is affected. The vendor identified the product as opf:open affected release must consider upgrading to a patched version.

Risk and Exploitability

The CVSS score of 9.6 reflects the high severity of this RCE flaw. EPSS information is not available, so the likelihood of exploitation cannot be quantified, but the absence of KEV listing suggests it has not yet been observed in the wild. The attack vector is inferred to be via compromise of the cache store, which could be accessed over the network or by a malicious user with sufficient privileges inside the application stack.

Generated by OpenCVE AI on June 26, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.3.3 or 17.4.1 where the cache store poisoning fix is applied.
  • If an upgrade is not immediately feasible, reconfigure the application to disable caching or restrict the cache store to a private, secured endpoint that only trusted processes can write to.
  • Verify that only authenticated, authorized users have write access to the cache server and monitor cache entry changes for anomalous activity.

Generated by OpenCVE AI on June 26, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.
Title OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:09:21.329Z

Reserved: 2026-06-08T17:13:43.065Z

Link: CVE-2026-52780

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses
  • CWE-20

    Improper Input Validation