CVE-2026-52783: CWE-313: Cleartext Storage in a File or on Disk in opf openproject
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.
AI Analysis
Technical Summary
CVE-2026-52783 is a cleartext storage vulnerability (CWE-313) in OpenProject's Storages module. The module writes OneDrive/SharePoint userless OAuth access tokens in plaintext to Rails.cache under a deterministic key. Since the supported cache backends do not encrypt data at rest, an attacker with read access to the cache backend can recover the Azure-AD bearer token by anonymously querying memcached or Redis protocols. This vulnerability affects OpenProject versions prior to 17.3.3 and 17.4.1 and is fixed in those versions.
Potential Impact
An attacker who gains read access to the cache backend can retrieve sensitive OAuth access tokens in plaintext, potentially allowing unauthorized access to Azure-AD application resources. The vulnerability does not affect availability but has high confidentiality and integrity impact as indicated by the CVSS score of 8.2.
Mitigation Recommendations
A fix is available in OpenProject versions 17.3.3 and 17.4.1. Users should upgrade to these versions or later to remediate this vulnerability. Since this is a cloud service, the vendor manages remediation for the hosted service; users should verify with the vendor that the service is updated. No additional mitigation steps are indicated in the advisory.
CVE-2026-52783: CWE-313: Cleartext Storage in a File or on Disk in opf openproject
Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.
CVSS v3.1
Score 8.2high
Affected software
pkg:github/opf/openprojectRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-52783 is a cleartext storage vulnerability (CWE-313) in OpenProject's Storages module. The module writes OneDrive/SharePoint userless OAuth access tokens in plaintext to Rails.cache under a deterministic key. Since the supported cache backends do not encrypt data at rest, an attacker with read access to the cache backend can recover the Azure-AD bearer token by anonymously querying memcached or Redis protocols. This vulnerability affects OpenProject versions prior to 17.3.3 and 17.4.1 and is fixed in those versions.
Potential Impact
An attacker who gains read access to the cache backend can retrieve sensitive OAuth access tokens in plaintext, potentially allowing unauthorized access to Azure-AD application resources. The vulnerability does not affect availability but has high confidentiality and integrity impact as indicated by the CVSS score of 8.2.
Mitigation Recommendations
A fix is available in OpenProject versions 17.3.3 and 17.4.1. Users should upgrade to these versions or later to remediate this vulnerability. Since this is a cloud service, the vendor manages remediation for the hosted service; users should verify with the vendor that the service is updated. No additional mitigation steps are indicated in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-08T17:13:43.065Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a3ed4eb72d29f1837ec342c
Added to database: 06/26/2026, 19:37:15 UTC
Last enriched: 06/26/2026, 19:52:25 UTC
Last updated: 06/26/2026, 20:36:34 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.