CWE-1393
AllowedUse of Default Password
Abstraction: Base · Status: Incomplete
The product uses default passwords for potentially critical functionality.
72 vulnerabilities reference this CWE, most recent first.
GHSA-7H86-XP6G-V5H6
Vulnerability from github – Published: 2026-01-09 12:32 – Updated: 2026-01-14 18:31Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.
{
"affected": [],
"aliases": [
"CVE-2025-66050"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-09T12:15:53Z",
"severity": "CRITICAL"
},
"details": "Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need.\nThe vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.",
"id": "GHSA-7h86-xp6g-v5h6",
"modified": "2026-01-14T18:31:17Z",
"published": "2026-01-09T12:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66050"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/01/CVE-2025-66049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7R79-PPGG-4H8M
Vulnerability from github – Published: 2024-08-22 15:31 – Updated: 2024-08-22 21:31An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used.
{
"affected": [],
"aliases": [
"CVE-2024-36440"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T15:15:15Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used.",
"id": "GHSA-7r79-ppgg-4h8m",
"modified": "2024-08-22T21:31:29Z",
"published": "2024-08-22T15:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36440"
},
{
"type": "WEB",
"url": "https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-037.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-88VW-GGF5-3P2W
Vulnerability from github – Published: 2025-03-11 18:32 – Updated: 2025-03-11 18:32An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova and in PMM3 3.0.0-1.ova and later.
{
"affected": [],
"aliases": [
"CVE-2025-26701"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T18:15:33Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova and in PMM3 3.0.0-1.ova and later.",
"id": "GHSA-88vw-ggf5-3p2w",
"modified": "2025-03-11T18:32:21Z",
"published": "2025-03-11T18:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26701"
},
{
"type": "WEB",
"url": "https://www.percona.com/blog/security-advisory-cve-affecting-percona-monitoring-and-management-pmm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PXW-9C75-6W56
Vulnerability from github – Published: 2025-08-28 13:33 – Updated: 2026-07-02 20:22Impact
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.
In earlier versions, NeuVector supports setting the default (bootstrap) password for the admin account using a Kubernetes Secret named neuvector-bootstrap-secret. This Secret must contain a key named bootstrapPassword. However, if NeuVector fails to retrieve this value, it falls back to the fixed default password.
Patches
This issue is resolved in NeuVector version 5.4.6 and later. For rolling upgrades, it's strongly recommended to change the default admin password to a secure one.
Starting from version 5.4.6, NeuVector introduces additional Kubernetes RBAC permissions to ensure the bootstrap password can be securely managed via Secrets:
kubectl create role neuvector-binding-secret-controller \
--verb=create,patch,update --resource=secrets -n {neuvector}
kubectl create rolebinding neuvector-binding-secret-controller \
--role=neuvector-binding-secret-controller \
--serviceaccount=neuvector:controller \
--serviceaccount=neuvector:default -n {neuvector}
- These RBAC roles are automatically applied when deploying via Helm.
- If deploying or upgrading manually, you must create these roles before starting NeuVector.
NOTE: If these roles are not present, the NeuVector controller (from version 5.4.6 onward) does not start.
Behavior in Patched Versions
- Upgrades: NeuVector does not reset any existing account passwords. It's strongly recommended to change the default
adminpassword to a secure one. - New deployments:
- If
bootstrapPasswordis not set in the `neuvector-bootstrap-secret, NeuVector generates a secure password and stores it in the same Secret.
On first login, the default admin must retrieve the password using:
kubectl get secret -n {neuvector} neuvector-bootstrap-secret \
-o go-template='{{ .data.bootstrapPassword | base64decode }}{{ "\n" }}'
The password must be changed during the first login via the NeuVector UI.
NOTE: If the default admin password is set using a Kubernetes ConfigMap or a persistent backup (not a fixed string), this value takes precedence over the Secret-based mechanism.
Workarounds
For existing vulnerable versions, log in to the NeuVector UI immediately after deployment and update the default admin password.
References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the NeuVector repository.
- Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/neuvector/neuvector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250825191744-da1a462074c3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-8077"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-28T13:33:36Z",
"nvd_published_at": "2025-09-17T13:15:34Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA vulnerability exists in NeuVector versions up to and including **5.4.5**, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.\n\nIn earlier versions, NeuVector supports setting the default (bootstrap) password for the `admin` account using a Kubernetes Secret named `neuvector-bootstrap-secret`. This Secret must contain a key named `bootstrapPassword`. However, if NeuVector fails to retrieve this value, it falls back to the fixed default password.\n\n### Patches\n\nThis issue is resolved in NeuVector version **5.4.6** and later. For rolling upgrades, it\u0027s strongly recommended to change the default `admin` password to a secure one.\n\nStarting from version **5.4.6**, NeuVector introduces additional Kubernetes RBAC permissions to ensure the bootstrap password can be securely managed via Secrets:\n\n```\nkubectl create role neuvector-binding-secret-controller \\\n --verb=create,patch,update --resource=secrets -n {neuvector}\n\nkubectl create rolebinding neuvector-binding-secret-controller \\\n --role=neuvector-binding-secret-controller \\\n --serviceaccount=neuvector:controller \\\n --serviceaccount=neuvector:default -n {neuvector}\n```\n\n- These RBAC roles are automatically applied when deploying via Helm.\n- If deploying or upgrading manually, you must create these roles before starting NeuVector.\n\n**NOTE:** If these roles are not present, the NeuVector controller (from version 5.4.6 onward) does not start.\n\n#### Behavior in Patched Versions\n\n- **Upgrades:** NeuVector does not reset any existing account passwords. It\u0027s strongly recommended to change the default `admin` password to a secure one.\n- **New deployments:**\n - If `bootstrapPassword` is not set in the `neuvector-bootstrap-secret, NeuVector generates a secure password and stores it in the same Secret.\n\nOn first login, the default `admin` must retrieve the password using:\n\n```\nkubectl get secret -n {neuvector} neuvector-bootstrap-secret \\\n -o go-template=\u0027{{ .data.bootstrapPassword | base64decode }}{{ \"\\n\" }}\u0027\n```\n\nThe password must be changed during the first login via the NeuVector UI.\n\n**NOTE:** If the default `admin` password is set using a Kubernetes ConfigMap or a persistent backup (not a fixed string), this value takes precedence over the Secret-based mechanism.\n\n### Workarounds\n\nFor existing vulnerable versions, log in to the NeuVector UI immediately after deployment and update the default `admin` password.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
"id": "GHSA-8pxw-9c75-6w56",
"modified": "2026-07-02T20:22:56Z",
"published": "2025-08-28T13:33:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8077"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-8077"
},
{
"type": "PACKAGE",
"url": "https://github.com/neuvector/neuvector"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "NeuVector admin account has insecure default password"
}
GHSA-8XPW-V6VW-79JF
Vulnerability from github – Published: 2024-11-08 09:30 – Updated: 2025-11-04 00:31An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. In addition, this enables an attacker to create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITY\SYSTEM").
{
"affected": [],
"aliases": [
"CVE-2024-50588"
],
"database_specific": {
"cwe_ids": [
"CWE-1393",
"CWE-419"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-08T09:15:07Z",
"severity": "CRITICAL"
},
"details": "An unauthenticated attacker with access to the local network of the \nmedical office can use known default credentials to gain remote DBA \naccess to the Elefant Firebird database. The data in the database \nincludes patient data and login credentials among other sensitive data. \nIn addition, this enables an attacker to create and overwrite arbitrary \nfiles on the server filesystem with the rights of the Firebird database \n(\"NT AUTHORITY\\SYSTEM\").",
"id": "GHSA-8xpw-v6vw-79jf",
"modified": "2025-11-04T00:31:58Z",
"published": "2024-11-08T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50588"
},
{
"type": "WEB",
"url": "https://hasomed.de/produkte/elefant"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/hasomed"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9356-5WVV-MWC4
Vulnerability from github – Published: 2023-08-07 12:30 – Updated: 2024-04-04 06:35Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials
{
"affected": [],
"aliases": [
"CVE-2023-32090"
],
"database_specific": {
"cwe_ids": [
"CWE-1393",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-07T12:15:10Z",
"severity": "CRITICAL"
},
"details": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n",
"id": "GHSA-9356-5wvv-mwc4",
"modified": "2024-04-04T06:35:34Z",
"published": "2023-08-07T12:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32090"
},
{
"type": "WEB",
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-939J-XF2F-9RPF
Vulnerability from github – Published: 2025-07-23 00:30 – Updated: 2025-10-02 18:30A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow the use and retrieval of the default password. HP has addressed the issue in the latest software update.
{
"affected": [],
"aliases": [
"CVE-2025-43021"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T23:15:24Z",
"severity": "MODERATE"
},
"details": "A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow the use and retrieval of the default password. HP has addressed the issue in the latest software update.",
"id": "GHSA-939j-xf2f-9rpf",
"modified": "2025-10-02T18:30:56Z",
"published": "2025-07-23T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43021"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_12781425-12781447-16/hbsbpy04037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9HF6-6H22-3J9H
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-11-18 21:30An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component.
{
"affected": [],
"aliases": [
"CVE-2024-30802"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:23:53Z",
"severity": "CRITICAL"
},
"details": "An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component.",
"id": "GHSA-9hf6-6h22-3j9h",
"modified": "2024-11-18T21:30:43Z",
"published": "2024-05-14T15:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30802"
},
{
"type": "WEB",
"url": "https://github.com/WarmBrew/web_vul/blob/main/CVES/CVE-2024-30802.md"
},
{
"type": "WEB",
"url": "https://github.com/WarmBrew/web_vul/blob/main/TTX.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9M29-X4P3-HVHR
Vulnerability from github – Published: 2025-03-16 21:35 – Updated: 2025-03-16 21:35A vulnerability was found in IROAD Dash Cam FX2 up to 20250308 and classified as problematic. This issue affects some unknown processing of the component Device Registration. The manipulation of the argument Password with the input qwertyuiop leads to use of default password. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-2347"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-16T21:15:37Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in IROAD Dash Cam FX2 up to 20250308 and classified as problematic. This issue affects some unknown processing of the component Device Registration. The manipulation of the argument Password with the input qwertyuiop leads to use of default password. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-9m29-x4p3-hvhr",
"modified": "2025-03-16T21:35:03Z",
"published": "2025-03-16T21:35:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2347"
},
{
"type": "WEB",
"url": "https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-7-bypass-of-device-pairingregistration-for-iroad-fx2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.299813"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.299813"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FGMC-2HQJ-86V4
Vulnerability from github – Published: 2026-06-05 16:45 – Updated: 2026-07-09 21:06Impact
Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons:
- Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights
- The initial password is very weak and it is possible that administrators forget to reset it.
Patches
No
Workarounds
It is possible to delete the root user after it has been used to create other users
References
We could consider doing this like mongodb
Additional info
Luis uses the following patch to mitigate it:
diff --git a/vantage6-server/vantage6/server/__init__.py b/vantage6-server/vantage6/server/__init__.py
index ea362c1e..c6dcbbd9 100644
--- a/vantage6-server/vantage6/server/__init__.py
+++ b/vantage6-server/vantage6/server/__init__.py
@@ -618,18 +618,30 @@ class ServerApp:
# TODO use constant instead of 'Root' literal
root = db.Role.get_by_name("Root")
- log.warn(
- f"Creating root user: "
- f"username={SUPER_USER_INFO['username']}, "
- f"password={SUPER_USER_INFO['password']}"
- )
+ # Temporary patch
+ # read initial root password from file (docker secret) if provided
+ # TODO: This is a workaround so we don't have an insecure vserver
+ # at the start. Ideally, we would provide an already hashed
+ # password. But as hashing is implemented via @validates on
+ # the field 'password', there isn't a nice way around this.
+ if os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE"):
+ with open(
+ os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE")
+ ) as password_file:
+ initial_root_password = password_file.read().strip()
+ log.info(
+ f"Creating root user with password provided via V6_INITIAL_ROOT_PASSWORD_FILE"
+ )
+ else:
+ initial_root_password = SUPER_USER_INFO["password"]
+ log.warn(f"Creating root user with default credentials!")
user = db.User(
username=SUPER_USER_INFO["username"],
roles=[root],
organization=org,
email="root@domain.ext",
- password=SUPER_USER_INFO["password"],
+ password=initial_root_password,
failed_login_attempts=0,
last_login_attempt=None,
)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.3"
},
"package": {
"ecosystem": "PyPI",
"name": "vantage6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54445"
],
"database_specific": {
"cwe_ids": [
"CWE-1393",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:45:22Z",
"nvd_published_at": "2026-06-17T23:17:05Z",
"severity": "MODERATE"
},
"details": "### Impact\nVantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons:\n- Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights\n- The initial password is very weak and it is possible that administrators forget to reset it.\n\n### Patches\nNo\n\n### Workarounds\nIt is possible to delete the `root` user after it has been used to create other users\n\n### References\nWe could consider doing this like [mongodb](https://hub.docker.com/_/mongo)\n\n### Additional info\n\nLuis uses the following patch to mitigate it:\n```diff\ndiff --git a/vantage6-server/vantage6/server/__init__.py b/vantage6-server/vantage6/server/__init__.py\nindex ea362c1e..c6dcbbd9 100644\n--- a/vantage6-server/vantage6/server/__init__.py\n+++ b/vantage6-server/vantage6/server/__init__.py\n@@ -618,18 +618,30 @@ class ServerApp:\n # TODO use constant instead of \u0027Root\u0027 literal\n root = db.Role.get_by_name(\"Root\")\n \n- log.warn(\n- f\"Creating root user: \"\n- f\"username={SUPER_USER_INFO[\u0027username\u0027]}, \"\n- f\"password={SUPER_USER_INFO[\u0027password\u0027]}\"\n- )\n+ # Temporary patch\n+ # read initial root password from file (docker secret) if provided\n+ # TODO: This is a workaround so we don\u0027t have an insecure vserver\n+ # at the start. Ideally, we would provide an already hashed\n+ # password. But as hashing is implemented via @validates on\n+ # the field \u0027password\u0027, there isn\u0027t a nice way around this.\n+ if os.environ.get(\"V6_INITIAL_ROOT_PASSWORD_FILE\"):\n+ with open(\n+ os.environ.get(\"V6_INITIAL_ROOT_PASSWORD_FILE\")\n+ ) as password_file:\n+ initial_root_password = password_file.read().strip()\n+ log.info(\n+ f\"Creating root user with password provided via V6_INITIAL_ROOT_PASSWORD_FILE\"\n+ )\n+ else:\n+ initial_root_password = SUPER_USER_INFO[\"password\"]\n+ log.warn(f\"Creating root user with default credentials!\")\n \n user = db.User(\n username=SUPER_USER_INFO[\"username\"],\n roles=[root],\n organization=org,\n email=\"root@domain.ext\",\n- password=SUPER_USER_INFO[\"password\"],\n+ password=initial_root_password,\n failed_login_attempts=0,\n last_login_attempt=None,\n )\n```",
"id": "GHSA-fgmc-2hqj-86v4",
"modified": "2026-07-09T21:06:52Z",
"published": "2026-06-05T16:45:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-fgmc-2hqj-86v4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54445"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/issues/1932"
},
{
"type": "PACKAGE",
"url": "https://github.com/vantage6/vantage6"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/blob/main/docs/release_notes.rst#500"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vantage6: Set admin user and password from environment or configuration"
}
Mitigation
Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
Mitigation
Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.
Mitigation
Force the administrator to change the credential upon installation.
Mitigation
The product administrator could change the defaults upon installation or during operation.
No CAPEC attack patterns related to this CWE.