OpenProject’s official Docker image sets the Rails master key to the literal string OVERWRITE_ME by default and configures cookies_serializer to :marshal. This combination allows any authenticated user to send a specially crafted /my/two_factor_devices cookie that is deterministically deserialized by Ruby’s Marshal module. The deserialization of an arbitrary payload gives the attacker the ability to execute arbitrary Ruby code within the OpenProject application process. This flaw is a classic insecure deserialization vulnerability (CWE‑502) compounded with misuse of a binary serialization format (CWE‑1188, CWE‑1392) and improper secret handling (CWE‑798).

OpenProject deployments that use the openproject/openproject Docker image prior to the version that fixed the issue are affected. Any container configured with the default environment variable SECRET_KEY_BASE=OVERWRITE_ME and cookies_serializer set to :marshal falls into this category.

The CVSS base score of 9.9 marks this as a critical issue. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be able to log in or otherwise possess an authenticated session, but once authenticated they can supply the malicious cookie directly to trigger code execution. Because the attack originates from a legitimate authenticated session and the payload can be delivered via a standard HTTP cookie, the risk of exploitation can be high in environments where default image settings are not overridden.