HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46386Published Modified CNA GitHub_M

CVE-2026-46386: OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A remote code execution vulnerability exists in the official OpenProject Docker image due to a hardcoded default Rails secret key (`SECRET_KEY_BASE=OVERWRITE_ME`) combined with a Marshal-based cookie serializer. Any authenticated user can craft a malicious serialized cookie that the server deserializes without verification, because the secret used to sign cookies is publicly known. Successful exploitation gives the attacker full code execution on the server. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-46386 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images derived from the openproject/openproject base. Coverage applies to affected version ranges (>= 8.3.0 and < 17.2.4; >= 17.3.0 and < 17.3.2).

Available
Triage

HarborGuard scores this CVE at CVSS 9.9 Critical and surfaces it accordingly in each customer's findings queue, with weighting applied by that environment's compliance policy (for example, policies that elevate internet-exposed workloads will rank this higher). Routing rules can direct the finding to the appropriate team inbox inside each customer org based on image ownership or namespace.

Available
Patch

No upstream fix version has been published for CVE-2026-46386. HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the upstream maintainers release a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable cookie-deserialization endpoint is exposed over the network, so the attacker must be able to reach the OpenProject service via HTTP/HTTPS.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker only needs a valid session to submit a crafted cookie to the vulnerable endpoint.

  • Victim interactionNot required

    No victim action is required; the attacker submits the malicious cookie directly and the server processes it immediately.

  • Attack complexityDetail

    Exploit complexity is low: the secret key is a known, hardcoded default, so constructing a valid malicious Marshal payload requires no race conditions or environmental guesswork.

Blast Radius

  • The attacker executes arbitrary operating-system commands as the Rails application process user inside the container.
  • All data accessible to the application, including project records, user credentials, and stored secrets, can be read.
  • The attacker can modify or delete any data the application can write, including project content and user accounts.
  • The running container can be crashed or repurposed as a pivot point into other services on the same internal network.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published, HarborGuard continuously monitors the OpenProject advisory across every ingest cycle and will trigger a patched-image rebuild automatically the moment a remediated version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression run and a PR opened against affected workloads with no manual steps required. In the meantime, compensating controls are strongly recommended: apply a network policy that restricts inbound access to OpenProject to known, trusted IP ranges; override the SECRET_KEY_BASE environment variable with a strong random value in every deployment (do not use the default OVERWRITE_ME value); and consider disabling or firewall-isolating the /my/two_factor_devices endpoint if it is not in active use. These steps remove the deterministic signing-key condition that makes the Marshal deserialization path exploitable.

See how HarborGuard automates this
Affected packages
  • opf / openproject
    >= 8.3.0, < 17.2.4 · >= 17.3.0, < 17.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References