CVE-2026-52780 in openproject
Summary
by MITRE • 06/26/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The OpenProject web-based project management platform contains a critical cache store poisoning vulnerability that enables remote code execution in versions prior to 17.3.3 and 17.4.1. This flaw resides in the application's caching mechanism where improperly validated user input can be stored and subsequently executed as code. The vulnerability manifests when the system processes data through its cache layer without adequate sanitization or validation checks, creating an attack surface that allows malicious actors to inject arbitrary code into the application's memory store.
The technical implementation of this vulnerability involves manipulation of cached data structures where user-supplied parameters are not properly escaped or validated before being stored in the application's cache. When the system retrieves these cached values during subsequent requests, it executes the malicious code contained within the poisoned cache entries. This represents a classic cache poisoning attack pattern that aligns with common weakness enumerations such as CWE-20 for improper input validation and CWE-94 for external control of code generation. The attack vector operates through web-based interfaces where users can submit data that gets cached and later executed without proper security context verification.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise, as attackers can leverage the RCE capability to gain unauthorized access to underlying server resources. This includes potential privilege escalation, data exfiltration, and further network infiltration through lateral movement. The vulnerability affects organizations using OpenProject versions 17.3.2 and earlier, or 17.4.0 and earlier, making it particularly concerning for enterprises that maintain legacy software environments. Security teams should note the implications for their incident response protocols, as this vulnerability could enable persistent threat actors to establish footholds within network infrastructure.
Mitigation strategies should prioritize immediate patching of affected OpenProject installations to versions 17.3.3 or 17.4.1 where the cache validation mechanisms have been strengthened. Organizations should also implement additional network segmentation controls and monitoring around caching components to detect anomalous behavior patterns. The fix addresses the root cause by implementing proper input sanitization and validation routines within the cache layer, ensuring that only properly formatted data can be stored and executed. Security professionals should reference attack techniques documented in the mitre att&ck framework under the execution and privilege escalation phases when designing defensive measures. Additional protective controls may include web application firewall rules targeting known malicious payloads and comprehensive logging of cache operations for forensic analysis purposes.