OpenProject Vulnerability Exposing OAuth Access Tokens in Plaintext
CVE-2026-52783

8.2HIGH

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-52783?

OpenProject, an open-source project management platform, has a critical security vulnerability related to its Storages module. Before versions 17.3.3 and 17.4.1, the module stored the OneDrive/SharePoint userless OAuth access tokens in plaintext within Rails.cache. This data could be retrieved by attackers with read access to the cache backend, thus compromising the security of the Azure-AD application-tier bearer. The vulnerability arises due to the lack of encryption at rest for any of the three supported cache backends, namely file_store, memcache, and redis. As a result, users are encouraged to upgrade to the patched versions to safeguard their systems.

Affected Version(s)

openproject < 17.3.3 < 17.3.3

openproject >= 17.4.0, < 17.4.1 < 17.4.0, 17.4.1

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52783 Data

JSON

Opf

What is CVE-2026-52783?

Affected Version(s)

References

CVSS V3.1

Timeline