OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/twofactordevices cookie reader This vulnerability is fixed in .
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46386.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-1188",
"CWE-1392",
"CWE-502",
"CWE-798"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "8.3.0"
},
{
"fixed": "17.2.4"
},
{
"introduced": "17.3.0"
},
{
"fixed": "17.3.2"
}
]
}