CVE-2026-46386: CWE-502: Deserialization of Untrusted Data in opf openproject
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .
AI Analysis
Technical Summary
CVE-2026-46386 is a critical vulnerability in OpenProject where the official Docker image ships with a default Rails master key (SECRET_KEY_BASE=OVERWRITE_ME) combined with cookies serialized using Marshal. This setup enables any authenticated user to exploit a deterministic Marshal deserialization path accessible through the /my/two_factor_devices cookie. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and related CWEs. Although the description mentions the vulnerability is fixed in a certain version, no explicit version or patch details are provided in the input data.
Potential Impact
The vulnerability allows an authenticated user to perform unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability of the OpenProject instance. The CVSS score of 9.9 reflects critical impact with network attack vector, low attack complexity, and no user interaction required beyond authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch details are provided, users should monitor the vendor's announcements for updates. Until a fix is available, avoid using the default Docker image with the fixed SECRET_KEY_BASE and consider disabling or changing the cookies_serializer setting from :marshal if possible.
CVE-2026-46386: CWE-502: Deserialization of Untrusted Data in opf openproject
Description
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .
CVSS v3.1
Score 9.9critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46386 is a critical vulnerability in OpenProject where the official Docker image ships with a default Rails master key (SECRET_KEY_BASE=OVERWRITE_ME) combined with cookies serialized using Marshal. This setup enables any authenticated user to exploit a deterministic Marshal deserialization path accessible through the /my/two_factor_devices cookie. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and related CWEs. Although the description mentions the vulnerability is fixed in a certain version, no explicit version or patch details are provided in the input data.
Potential Impact
The vulnerability allows an authenticated user to perform unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability of the OpenProject instance. The CVSS score of 9.9 reflects critical impact with network attack vector, low attack complexity, and no user interaction required beyond authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch details are provided, users should monitor the vendor's announcements for updates. Until a fix is available, avoid using the default Docker image with the fixed SECRET_KEY_BASE and consider disabling or changing the cookies_serializer setting from :marshal if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T19:53:47.922Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3edc0372d29f1837f464ad
Added to database: 06/26/2026, 20:07:31 UTC
Last enriched: 06/26/2026, 20:12:22 UTC
Last updated: 06/26/2026, 20:51:27 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.