OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)

9.6 / 10

CRITICAL

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.

AI Analysis

Cache store poisoning vulnerability leading to Remote Code Execution (RCE) in OpenProject

Basic Information

ID CVE-2026-52780

Source GitHub_M

Published Jun 26, 2026 at 19:09

Affected Product

Vendor opf

Product openproject

Version < 17.3.3

Affected Versions opf openproject < 17.3.3
opf openproject >= 17.4.0, < 17.4.1

CWE Classification

CWE-20

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor OpenProject Foundation

Product OpenProject

Version < 17.3.3, 17.4.0

References

github.com /opf/openproject/security/advisories/GHSA-qj96-f42f-6336

{
    "lastseen": "",
    "description": "OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.",
    "published": "2026-06-26T19:09:21.329Z",
    "modified": "2026-06-26T19:09:21.329Z",
    "type": "cve",
    "title": "OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)",
    "source": "GitHub_M",
    "references": "https://github.com/opf/openproject/security/advisories/GHSA-qj96-f42f-6336",
    "id": "CVE-2026-52780",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "opf openproject < 17.3.3\nopf openproject >= 17.4.0, < 17.4.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openproject",
    "version": "< 17.3.3",
    "vendor": "opf",
    "ai_description": "Cache store poisoning vulnerability leading to Remote Code Execution (RCE) in OpenProject",
    "ai_severity": "Critical",
    "ai_vendor": "OpenProject Foundation",
    "ai_product": "OpenProject",
    "ai_version": "< 17.3.3, 17.4.0",
    "ai_score": 9.6
}

OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)_CVE-2026-52780