CVE Catalog

CVE-2026-46386

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

The official openproject/openproject Docker image ships with a default SECRET_KEY_BASE=OVERWRITE_ME, which combined with cookies_serializer = :marshal allows any logged-in user a deterministic Marshal-deserialization path via the /my/two_factor_devices cookie reader. This vulnerability is fixed in a later version.

Risk Assessment

An attacker can remotely execute arbitrary code or gain unauthorized access by exploiting Marshal deserialization, leading to full compromise of the OpenProject instance.

Recommendation

Immediately update the OpenProject Docker image to the latest version and replace the default SECRET_KEY_BASE with a strong, random key.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .

Vulnerability data from NVD (NIST) · CISA KEV · EPSS