CVE-2026-46386

Summary

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .

Affected Software

VendorProductVersion RangeStatus
opfopenproject>= 8.3.0, < 17.2.4affected
opfopenproject>= 17.3.0, < 17.3.2affected

Weaknesses

  • CWE-502: CWE-502: Deserialization of Untrusted Data
  • CWE-798: CWE-798: Use of Hard-coded Credentials
  • CWE-1188: CWE-1188: Insecure Default Initialization of Resource
  • CWE-1392: CWE-1392: Use of Default Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References