HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52780Published Modified CNA GitHub_M

CVE-2026-52780: OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A cache store poisoning vulnerability in OpenProject allows an unauthenticated attacker on the same network segment to inject malicious data into the application's cache layer, which the server then deserializes or executes, resulting in full remote code execution. The attacker requires no credentials and no victim interaction; adjacent network access such as a shared LAN, cloud subnet, or VPN is sufficient to reach the cache backend. Successful exploitation gives the attacker arbitrary code execution in the context of the OpenProject server process. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream publishes a fixed release.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built OpenProject images in private registries and CI pipelines. Any image shipping an affected OpenProject release (prior to 17.3.3, or in the 17.4.x line prior to 17.4.1) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available
Patch

Because no upstream fix version has been formally published yet in the advisory record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention as soon as the fixed version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network segment, such as a shared LAN, cloud VPC subnet, or VPN, to reach the cache backend; direct internet exposure is not required but internal network adjacency is.

  • AuthenticationNot required

    No credentials of any kind are needed; the attacker can target the cache store without authenticating to the OpenProject application.

  • Victim interactionNot required

    Exploitation is fully server-side; no user needs to click a link, open a file, or take any action for the attack to succeed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • The attacker executes arbitrary operating system commands in the context of the OpenProject server process, giving them full control of the application runtime.
  • All data the OpenProject instance can access, including project records, user credentials, attachments, and API tokens, is readable by the attacker.
  • The attacker can modify or delete any data stored or accessible by OpenProject, including project plans, issue trackers, and user account records.
  • The attacker can crash or indefinitely disrupt the OpenProject service, making it unavailable to all users on the instance.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active, with the CVE matched against every customer image containing an affected OpenProject release on each ingest cycle. Because no upstream fix has been confirmed in the published advisory record, no patched-image rebuild is available yet; HarborGuard will make one available automatically the moment a fixed release is confirmed upstream. For customers with auto-remediation enabled, the full flow (image rebuild, regression test run, and PR opened against affected workloads) triggers without manual action as soon as the patch is resolvable. In the interim, recommended compensating controls include applying network-policy rules to isolate the cache backend (Redis, Memcached, or equivalent) so it is reachable only by the OpenProject application process, enforcing egress filtering on the application subnet to limit lateral movement if compromise occurs, and disabling any externally exposed cache-adjacent interfaces until the patch is applied.

See how HarborGuard automates this
Affected packages
  • opf / openproject
    < 17.3.3 · >= 17.4.0, < 17.4.1
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References