CVE-2026-52783 - Vulnerability Details

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.

Published: 2026-06-26

Score: 8.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

OpenProject’s Storages module writes userless OAuth access tokens for OneDrive/SharePoint into Rails.cache under the deterministic key storage.<id>.httpx_access_token without encrypting data at rest. This allows an attacker with read access to the chosen cache backend to recover a bearer token that authorizes access to Azure‑AD services, effectively enabling service‑level impersonation. The flaw represents a classic cleartext storage of sensitive authentication material (CWE‑313).

Affected Systems

Versions of OpenProject released before 17.3.3 and before 17.4.1 are impacted. All three supported Rails.cache providers—file_store, memcache, and redis—were vulnerable. The issue is resolved in releases 17.3.3 and 17.4.1 and later, so upgrading to one of those versions eliminates the flaw.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is classified as high‑severity information disclosure. No EPSS score is currently available, but the absence of automatic mitigations and the sensitivity of the exposed Azure‑AD access token raise the likelihood of exploitation once discovered. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to read the cache backend, either by compromising an internal user or by bypassing network controls that expose the cache. Successful extraction of the token enables unauthorized access to Azure‑AD resources, which poses a significant risk to confidentiality and system integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opf

openproject

affected

Version	Status	Constraints
`< 17.3.3`	affected	—
`>= 17.4.0, < 17.4.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to OpenProject 17.3.3, 17.4.1, or a later version that contains the fix.
Configure the cache backend to encrypt data at rest or use a provider that does not persist plain‑text tokens, and restrict network access to the cache service.
Ensure that only trusted processes or users have read permissions on the cache storage to prevent unauthorized extraction of the token.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27

History

Fri, 26 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.
Title		OpenProject: Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure
Weaknesses		CWE-313
References		https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T18:57:58.860Z

Updated: 2026-06-26T18:57:58.860Z

Reserved: 2026-06-08T17:13:43.065Z

Link: CVE-2026-52783

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses

CWE-313
Cleartext Storage in a File or on Disk

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object