Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-52783— OpenProject: Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure

CVSS 8.2 · High EPSS 0.13% · P3

Possible ATT&CK Techniques 1AI

T1552.001 · Credentials In Files

Affected Version Matrix 2

VendorProductVersion RangeStatus
opfopenproject< 17.3.3affected
>= 17.4.0, < 17.4.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-52783

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
OpenProject: Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在文件或磁盘上的明文存储
Source: NVD (National Vulnerability Database)
Vulnerability Title
OPF OpenProject 加密问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
opf openproject是opf的项目管理软件。 OPF OpenProject 17.3.3之前版本和17.4.0至17.4.1之前版本存在加密问题漏洞,该漏洞源于Storages模块将OneDrive/SharePoint用户免密OAuth访问令牌以明文写入Rails.cache,且缓存后端未加密,可能导致具有缓存后端读取权限的攻击者恢复Azure-AD应用层令牌。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
opfopenproject < 17.3.3 -

II. Public POCs for CVE-2026-52783

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-52783

登录查看更多情报信息。

Vendor Advisories for CVE-2026-52783 (1)

Same Patch Batch · opf · 2026-06-26 · 17 CVEs total

CVE-2026-527829.9 CRITICALOpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH para
CVE-2026-527859.9 CRITICALOpenProject: SQL injection in timestamps functionality
CVE-2026-463869.9 CRITICALOpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `S
CVE-2026-527809.6 CRITICALOpenProject: Cache store poisoning leads to Remote Code Execution (RCE)
CVE-2026-527848.8 HIGHOpenProject: CSRF on TARGET through /users/:id via POST parameter "user[admin]"
CVE-2026-471937.5 HIGHOpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks
CVE-2026-447346.5 MEDIUMOpenProject: Improper Access Control on OpenProject through the POST request to /projects/
CVE-2026-447366.5 MEDIUMOpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Pa
CVE-2026-447356.5 MEDIUMOpenProject: Shares API Information Disclosure
CVE-2026-527816.4 MEDIUMOpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/work
CVE-2026-447335.9 MEDIUMOpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me
CVE-2026-446965.7 MEDIUMOpenProject: Stored CSS injection via Sanitize::Config::RELAXED[:css] enables phishing ove
CVE-2026-527795.4 MEDIUMOpenProject: Cross-project authorization bypass allows deleting public Calendar and Team P
CVE-2026-493554.3 MEDIUMOpenProject: Private work package data disclosure through single meeting agenda item API
CVE-2026-447314.3 MEDIUMOpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetin
CVE-2026-447324.3 MEDIUMOpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "proje

IV. Related Vulnerabilities

V. Comments for CVE-2026-52783

No comments yet


Leave a comment