CVE-2026-52781 opf CVE debrief

Who should care

Administrators and users of OpenProject, especially those hosting their own instances, should be aware of this vulnerability. Given its medium severity and potential impact on authenticated users, defenders should prioritize patching. The vulnerability's exploitation requires a user to have permission to edit work package descriptions.

Technical summary

The HTML sanitizer in OpenProject, prior to versions 17.3.3 and 17.4.1, improperly handles <macro> elements, allowing unrestricted data-* attributes. An attacker can inject a data-controller attribute, triggering Stimulus.js to fetch and execute an attacker-uploaded attachment. This leads to the execution of arbitrary Turbo Stream actions in the context of authenticated users' browser sessions. The vulnerability's CVSS score is 6.4, indicating a medium severity level.

Defensive priority

Defenders should prioritize patching to prevent exploitation. Given the medium severity, immediate action is recommended, especially for instances exposed to untrusted users.

Recommended defensive actions

• Apply patches (17.3.3 or 17.4.1) to the OpenProject installation.
• Review and restrict editing permissions for work package descriptions.
• Monitor for suspicious activity related to work package descriptions and Turbo Stream actions.
• Implement additional security measures for user authentication and session management.
• Perform a thorough inventory check of OpenProject instances and their exposure.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. A source reference from GitHub's security advisories offers additional context. However, the limited information available suggests that the vulnerability's scope and affected systems are not fully detailed. Further investigation and monitoring are necessary to understand the vulnerability's impact fully.

Official resources