CVE-2026-46386
Published: 26 June 2026
Summary
CVE-2026-46386 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-39875
Vulnerability details
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via…
more
the /my/two_factor_devices cookie reader This vulnerability is fixed in .
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default secret key enables unauthenticated deserialization RCE path in public-facing web app (CWE-502 + CWE-798).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.
Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.
Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.
Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248823 OL 8 must not have the telnet-server package installed. via CWE-1188
RHEL 7 (1 rule)
- V-204627 SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. via CWE-1188
Ubuntu 22.04 (1 rule)
- V-260529 Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Ubuntu 24.04 (1 rule)
- V-270708 Ubuntu 24.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Windows Server 2016 (1 rule)
- V-224972 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2019 (1 rule)
- V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2022 (1 rule)
- V-254393 Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188