🔴 严重 | CVE-2026-46386 — OpenProject is open-source, web-based project mana...

安全CVE 严重漏洞安全快讯 CRITICAL CWE-502 CWE-798 CWE-1188 CWE-1392

发布于：2小时前📖 2分钟👁️ 1 次阅读

🔴 CVE-2026-46386

CVSS 评分: 9.9（严重） | 状态: Deferred | 发布时间: 2026-06-26

漏洞描述

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .

漏洞详情

字段	值
CVE ID	CVE-2026-46386
CVSS 评分	9.9（严重）
CVSS 向量	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
CWE	CWE-502,CWE-798,CWE-1188,CWE-1392
发布时间	2026-06-26
最后更新	2026-06-26
状态	Deferred
数据来源	security-advisories@github.com

参考链接

https://github.com/opf/openproject/security/advisories/GHSA-r85r-gjq2-f83r

🤖 本文由 CVE 安全快讯机器人自动生成
数据来源: NVD (National Vulnerability Database) | 获取时间: 2026-06-27 06:07

💬 评论