Cyber Resilience

CVE-2026-46386

CriticalRCE

Published: 26 June 2026

Published
26 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0027 19.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-46386 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via…

more

the /my/two_factor_devices cookie reader This vulnerability is fixed in .

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Default secret key enables unauthenticated deserialization RCE path in public-facing web app (CWE-502 + CWE-798).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27333Shared CWE-502
CVE-2024-13824Shared CWE-502
CVE-2026-22451Shared CWE-502
CVE-2025-7696Shared CWE-502
CVE-2026-39446Shared CWE-502
CVE-2026-49106Shared CWE-502
CVE-2026-41862Shared CWE-502
CVE-2026-12256Shared CWE-502
CVE-2025-31634Shared CWE-502
CVE-2026-25873Shared CWE-502

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.

Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.

Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.

addresses: CWE-1188 CWE-1392

Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.

addresses: CWE-798 CWE-1392

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798 CWE-1392

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798 CWE-1188

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248823 OL 8 must not have the telnet-server package installed. via CWE-1188
RHEL 7 (1 rule)
  • V-204627 SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. via CWE-1188
Ubuntu 22.04 (1 rule)
  • V-260529 Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Ubuntu 24.04 (1 rule)
  • V-270708 Ubuntu 24.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Windows Server 2016 (1 rule)
  • V-224972 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2019 (1 rule)
  • V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2022 (1 rule)
  • V-254393 Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188

References