All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-46386
CRITICALpublished 2026-06-26 20:17 UTC · 2 days ago · modified 2026-06-26 20:20 UTC
9.9
CVSS / 10
// description
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
// weaknesses (CWE)
- CWE-502
- CWE-798
- CWE-1188
- CWE-1392