External risk intelligence

OpenProject Docker Image Default Secret Key Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-46386

OpenProject is a web-based project management application that is commonly deployed as an internet-facing web service to facilitate remote collaboration and external project access. The vulnerability is reachable via standard web application endpoints, which are frequently exposed to the public internet in typical deployments.

Deserialization

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

OpenProject, a web-based project management tool, has a critical vulnerability that could allow logged-in users to gain unauthorized access to sensitive system information. This issue stems from a default, predictable secret key within its Docker image, which, when combined with a specific configuration, creates a security weakness. The main concern at this stage is confirming if this technology is in use within our environment and, if so, to what extent it is exposed.

  • Predictable secret key allows unauthorized access.
  • Matters due to web-based project management use.
  • Confirm relevance and exposure; assess impact.

Attack Path

How an attacker could exploit the issue

An attacker with basic access to OpenProject could exploit this vulnerability by crafting a special cookie. This would allow them to trigger a weakness in how the application handles sensitive information, potentially leading to a complete compromise of the system.

  • Attacker needs to be logged in.
  • Triggered by a specially crafted cookie.
  • Risks data compromise and system control.

Live Threat

Current exploitation, exposure, and threat context

A logged-in user could leverage a default master key and a deserialization vulnerability to affect service behavior and potentially compromise system or user data.

  • System data and service behavior.
  • Logged-in user can exploit default master key.
  • Unauthorized access and data manipulation.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in OpenProject's default configuration requires immediate attention from teams managing web applications and their underlying infrastructure. The first step is to identify all instances of OpenProject, confirm their exposure and criticality, and then engage the accountable owners to plan a secure remediation.

  • App owners and infrastructure teams.
  • Confirm default secret key usage.
  • Plan and execute configuration updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenProject?

OpenProject is a web-based, open-source project management platform used by teams to track tasks, plan workflows, and collaborate on projects. It is frequently deployed as a centralized hub for team communication and documentation, often run as a containerized application to simplify installation and scaling within organizational infrastructure.

What is the vulnerability behind CVE-2026-46386?

This CVE involves a vulnerability classified as Deserialization of Untrusted Data (CWE-502), compounded by the use of hardcoded credentials (CWE-798). The application uses a predictable default secret key in its Docker configuration. When paired with specific cookie serialization settings, this allows an attacker to manipulate session data, leading to unauthorized code execution or system compromise.

How is this vulnerability triggered?

An attacker must have an existing user account to trigger the flaw, as it requires interaction with specific application endpoints. By sending a specially crafted cookie to the system, the attacker leverages the known secret key to bypass security checks. Simply browsing the site or accessing public, unauthenticated pages does not trigger this deserialization process.

Is my instance of OpenProject at risk?

Halo Surface Signal indicates that OpenProject instances are often deployed as internet-facing services to enable remote collaboration. If your instance is accessible from the public internet, it falls into a higher risk category. You should determine if your deployment uses the default secret key, as any instance reachable via the web is potentially exposed to this attack vector.

Do I need to change my OpenProject configuration?

Yes, you must verify your deployment's configuration immediately. Your primary goal is to ensure the application is not using the default secret key provided in the official Docker image. Coordinate with your infrastructure or application team to rotate any default keys to a unique, secure value and review current security settings to prevent unauthorized cookie processing.

References