CVE-2026-46386
Deferred Deferred - Pending Action
OpenProject Docker Image Rails Master Key Deserialization Flaw

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-46386
EUVD
EUVD-2026-39875
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject From 8.3.0 (inc) to 17.3.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-1392 The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46386 is a critical vulnerability in the official openproject/openproject Docker image that allows remote code execution. It occurs because the Docker image ships with a default hardcoded environment variable SECRET_KEY_BASE=OVERWRITE_ME and uses Rails cookie serialization with the Marshal format. This combination enables attackers to craft malicious cookies that, when deserialized, execute arbitrary Ruby code inside the container.

The vulnerability affects versions from 8.3.0 through 17.3.1, including certain branches, unless the SECRET_KEY_BASE is manually changed. Attackers can exploit this flaw either before authentication (if self-registration is enabled) or after logging in with any low-privilege account.

Exploitation results in admin-level control over OpenProject or the ability to execute OS commands within the container, potentially compromising sensitive data and network resources. The root causes include hardcoded credentials, insecure default initialization, and unsafe deserialization.

Impact Analysis

This vulnerability can have severe impacts including complete compromise of the OpenProject instance running inside the Docker container. An attacker can gain administrative privileges or execute arbitrary operating system commands within the container.

Such control allows unauthorized access to sensitive project management data, manipulation or deletion of information, and potential lateral movement within the network. It also threatens the confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability can be detected by checking if the OpenProject Docker container is running with the default hardcoded environment variable SECRET_KEY_BASE=OVERWRITE_ME.

You can inspect the environment variables of the running container to verify if SECRET_KEY_BASE is set to the insecure default.

  • Run the command: docker exec <container_id_or_name> printenv SECRET_KEY_BASE
  • Alternatively, inspect the Docker image or container configuration for the environment variable with: docker inspect <container_id_or_name> | grep SECRET_KEY_BASE

If the output shows SECRET_KEY_BASE=OVERWRITE_ME, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include explicitly setting a secure and unique SECRET_KEY_BASE environment variable for the OpenProject Docker container.

Ensure that the application does not use the default insecure value 'OVERWRITE_ME' for SECRET_KEY_BASE.

Update the OpenProject Docker image to a fixed version where the vulnerability is addressed.

Verify that the cookie serialization method is switched from Marshal to JSON to prevent unsafe deserialization.

If the application fails to start after setting SECRET_KEY_BASE, reconfigure accordingly as the fix aborts startup if the variable is unset or insecure.

Compliance Impact

This vulnerability allows attackers to execute arbitrary code with admin-level privileges or OS command execution within the container, potentially leading to unauthorized access to sensitive data or network resources.

Such unauthorized access and control can compromise the confidentiality, integrity, and availability of data managed by OpenProject, which may include personal or sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive data from unauthorized access and breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart