Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage..httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.

Severity (CVSS)

Base score8.2
SeverityHigh
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Provided byCNA

Weaknesses

  • CWE-313 — CWE-313: Cleartext Storage in a File or on Disk

Affected products

VendorProductVersions
opfopenproject< 17.3.3; >= 17.4.0, < 17.4.1

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 27 Jun 2026 07:02 UTC.