CVE-2026-46386
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
The official openproject/openproject Docker image ships with a default SECRET_KEY_BASE=OVERWRITE_ME, which combined with cookies_serializer = :marshal allows any logged-in user a deterministic Marshal-deserialization path via the /my/two_factor_devices cookie reader. This vulnerability is fixed in a later version.
Risk Assessment
An attacker can remotely execute arbitrary code or gain unauthorized access by exploiting Marshal deserialization, leading to full compromise of the OpenProject instance.
Recommendation
Immediately update the OpenProject Docker image to the latest version and replace the default SECRET_KEY_BASE with a strong, random key.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .

