CVE-2026-52783 opf CVE debrief

Who should care

Organizations using OpenProject versions prior to 17.3.3 or 17.4.1 should prioritize patching this vulnerability. Specifically, those with integrations to OneDrive or SharePoint via the Storages module are at risk. Security teams responsible for monitoring and protecting against unauthorized access to sensitive data should be aware of this issue.

Technical summary

The OpenProject Storages module, prior to versions 17.3.3 and 17.4.1, stores OneDrive/SharePoint userless OAuth access tokens in plaintext within Rails.cache. These tokens are used for authentication with Azure-AD. The cache is updated hourly by a cron job and with every userless-OAuth call. Since the cache backends (file_store, memcache, redis) do not encrypt data at rest, an attacker with read access to the cache can retrieve these tokens. With these tokens, an attacker can impersonate the Azure-AD application, potentially leading to unauthorized access to sensitive data.

Defensive priority

High. Immediate patching to versions 17.3.3 or 17.4.1 is recommended to prevent exposure of sensitive OAuth tokens.

Recommended defensive actions

• Apply patches to OpenProject versions 17.3.3 or 17.4.1.
• Review and update cache backend configurations to use encryption at rest if possible.
• Monitor for suspicious activity related to OAuth token usage.
• Perform a thorough inventory check of OpenProject installations and their integrations.
• Implement compensating controls such as additional monitoring and access restrictions.

Evidence notes

The CVE-2026-52783 details were sourced from the official CVE record and the OpenProject security advisory. The vulnerability's high severity stems from the exposure of sensitive OAuth tokens without encryption. Evidence from the source indicates that fixes are available in OpenProject versions 17.3.3 and 17.4.1.

Official resources