A critical security misconfiguration in the official OpenProject Docker image exposes users to remote code execution due to the use of a predictable, default Rails master key.

The official Docker image ships with a default Rails secret key (SECRET_KEY_BASE=OVERWRITE_ME), which allows authenticated users to forge cookies. Because the application uses :marshal for cookie serialization, this allows an attacker to trigger arbitrary code execution during the deserialization process.

This vulnerability carries a CVSS score of 9.9, reflecting the extreme risk of total system compromise. By leveraging this flaw, an authenticated user can execute arbitrary code on the server hosting the OpenProject application. This grants the attacker full control over the project management environment, facilitating lateral movement, data theft, or complete system takeover.

Immediate Action: Update to the latest version of OpenProject and ensure the SECRET_KEY_BASE environment variable is changed to a strong, unique, and securely generated secret.

Proactive Monitoring: Monitor server logs for signs of anomalous process execution or unexpected system-level changes originating from the OpenProject container.

Compensating Controls: Restrict access to the OpenProject instance to trusted networks only and ensure that the application is running with the least privilege necessary within the container environment.

Public Exploit Available: No

The reliance on a default, predictable secret key in a production-ready Docker image is a significant security failure. Administrators must immediately rotate their secret keys and update their deployment configurations to ensure the environment is secured against this deserialization attack vector.