Web-based project management software vulnerability in OpenProject by OPF
CVE-2026-46386

9.9CRITICAL

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-46386?

OpenProject, an open-source web-based project management tool, contains a vulnerability in its Docker image configuration. Specifically, it ships with a default Rails master key set to 'OVERWRITE_ME'. This insecure default, when used in combination with the 'cookies_serializer = :marshal' setting, enables an attacker to exploit the deserialization of user input via the '/my/two_factor_devices' cookie reader. This design flaw could allow logged-in users to access sensitive information and compromise the integrity of user sessions.

Affected Version(s)

openproject >= 8.3.0, < 17.2.4 < 8.3.0, 17.2.4

openproject >= 17.3.0, < 17.3.2 < 17.3.0, 17.3.2

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46386 Data

JSON

Opf

What is CVE-2026-46386?

Affected Version(s)

References

CVSS V3.1

Timeline