CVE-2026-46386 | OpenProject is open-source, web-based project management sof… | CVSS 9.9 CRITICAL

Description

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .

Metadata

CVE ID: CVE-2026-46386
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-13 19:53 UTC
Published: 2026-06-26 19:26 UTC
Last updated: 2026-06-26 19:26 UTC
Primary CWE: CWE-502
CWE-502: Deserialization of Untrusted Data
Vendor / Product: opf / openproject
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
opf	openproject	—	>= 8.3.0, < 17.2.4, >= 17.3.0, < 17.3.2

Weakness (CWE)

CWE	Source	Description
CWE-1188	cna	CWE-1188: Insecure Default Initialization of Resource
CWE-1392	cna	CWE-1392: Use of Default Credentials
CWE-502	cna	CWE-502: Deserialization of Untrusted Data
CWE-798	cna	CWE-798: Use of Hard-coded Credentials

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/opf/openproject/security/advisories/GHSA-r85r-gjq2-f83r https://github.com/opf/openproject/security/advisories/GHSA-r85r-gjq2-f83r