Detection Guidance

This vulnerability can be detected by checking the contents of the Rails.cache storage used by OpenProject, specifically looking for the presence of plaintext OAuth access tokens stored under keys matching the pattern "storage.<id>.httpx_access_token".

Since the tokens are stored in cache backends such as memcache or Redis without encryption, you can attempt to read these tokens directly from the cache backend.

For memcached, you can use commands or tools that interact with the memcached binary protocol to retrieve keys and their values. For example, using the memcached command line client:

• Use `memcached-tool <host>:<port> stats items` to list cached items.
• Use `memcached-tool <host>:<port> cachedump <slab_class> <limit>` to dump keys.
• Use `memcached-tool <host>:<port> get storage.<id>.httpx_access_token` to retrieve the token.

For Redis, you can connect to the Redis instance and run commands like:

• Run `KEYS storage.*.httpx_access_token` to find relevant keys.
• Run `GET <key>` to retrieve the token stored in plaintext.

Detection requires read access to the cache backend, so verifying access permissions and inspecting cache contents for these keys can confirm the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.3 or 17.4.1 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the cache backend (memcache, Redis, or file_store) to trusted users only, ensuring that unauthorized users cannot read the cache contents.

Additionally, consider implementing encryption at rest for cache backends if possible, or configuring the cache to avoid storing sensitive tokens in plaintext.

Review and tighten network and system permissions to prevent attackers from gaining read access to the cache.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves the cleartext storage of sensitive OAuth access tokens, which can be accessed by an attacker with read access to the cache backend. This exposure of sensitive authentication tokens can lead to unauthorized access to protected resources, potentially resulting in a breach of confidentiality and integrity.

Such unauthorized disclosure of sensitive data may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive information and mandate controls to prevent unauthorized access and data breaches.

Therefore, organizations using affected versions of OpenProject could face compliance risks if this vulnerability is exploited, as it undermines the security controls expected by these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-52783 is an information disclosure vulnerability in OpenProject versions prior to 17.3.3 and 17.4.1. The issue arises because the Storages module stores OneDrive/SharePoint userless OAuth access tokens in plaintext within Rails.cache under a predictable key. These tokens are continuously repopulated by an hourly cron job and userless OAuth calls. Since the cache backends used (file_store, memcache, redis) do not encrypt data at rest, an attacker with read access to the cache backend can retrieve these sensitive tokens.

The attacker can exploit protocols like the memcached binary protocol or equivalent Redis commands to anonymously read the Azure-AD application-tier bearer tokens, leading to exposure of sensitive authentication credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive OAuth access tokens, which are bearer tokens granting access to Azure Active Directory resources. An attacker who obtains these tokens can impersonate the application or access protected resources without authorization.

The impact includes a high risk to confidentiality and integrity of data, as attackers can potentially access or manipulate sensitive information. However, availability is not affected by this vulnerability.

Useful 0 Not Useful 0