CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2176 vulnerabilities reference this CWE, most recent first.
GHSA-2QCW-CW26-GCHC
Vulnerability from github – Published: 2025-12-10 09:30 – Updated: 2026-05-28 15:39Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI
{
"affected": [],
"aliases": [
"CVE-2025-13954"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T09:15:46Z",
"severity": "CRITICAL"
},
"details": "Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146\u00a0allows attackers to bypass authorization checks and gain full access to the admin UI",
"id": "GHSA-2qcw-cw26-gchc",
"modified": "2026-05-28T15:39:37Z",
"published": "2025-12-10T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13954"
},
{
"type": "WEB",
"url": "https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html"
},
{
"type": "WEB",
"url": "https://www.nimbletech.com.tw/index.php/release-note"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2QQC-P94C-HXWH
Vulnerability from github – Published: 2026-04-16 21:22 – Updated: 2026-04-16 21:22Detection Method: Kolega.dev Deep Code Scan
| Attribute | Value |
|---|---|
| Location | packages/server/src/enterprise/middleware/passport/index.ts:55 |
| Practical Exploitability | High |
| Developer Approver | faizan@kolega.ai |
Description
Express session secret has a weak default value 'flowise' when EXPRESS_SESSION_SECRET is not set.
Affected Code
secret: process.env.EXPRESS_SESSION_SECRET || 'flowise'
Evidence
The default session secret 'flowise' is publicly visible and weak. Session cookies signed with this secret can be forged by attackers.
Impact
Session hijacking and forgery - attackers can create arbitrary session cookies to impersonate any user, bypassing all authentication mechanisms.
Recommendation
Require EXPRESS_SESSION_SECRET to be set with a strong random value. Throw an error on startup if not configured. Use cryptographically strong random strings (minimum 256 bits).
Notes
The Express session secret defaults to the string 'flowise' when EXPRESS_SESSION_SECRET is not set (line 55). This secret is used to sign session cookies via express-session middleware. Since 'flowise' is publicly visible in the source code, an attacker can forge valid session cookies to impersonate any user without authentication. The .env.example file has this commented out (# EXPRESS_SESSION_SECRET=flowise), implying it's optional, which compounds the risk. Unlike development-only defaults, this code path is active in production if the environment variable is not set. The application should require EXPRESS_SESSION_SECRET to be explicitly configured with a cryptographically strong random value and fail to start otherwise.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.13"
},
"package": {
"ecosystem": "npm",
"name": "flowise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T21:22:00Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "**Detection Method:** Kolega.dev Deep Code Scan\n\n| Attribute | Value |\n|---|---|\n| Location | packages/server/src/enterprise/middleware/passport/index.ts:55 |\n| Practical Exploitability | High |\n| Developer Approver | faizan@kolega.ai |\n\n### Description\nExpress session secret has a weak default value \u0027flowise\u0027 when EXPRESS_SESSION_SECRET is not set.\n\n### Affected Code\n```\nsecret: process.env.EXPRESS_SESSION_SECRET || \u0027flowise\u0027\n```\n\n### Evidence\nThe default session secret \u0027flowise\u0027 is publicly visible and weak. Session cookies signed with this secret can be forged by attackers.\n\n### Impact\nSession hijacking and forgery - attackers can create arbitrary session cookies to impersonate any user, bypassing all authentication mechanisms.\n\n### Recommendation\nRequire EXPRESS_SESSION_SECRET to be set with a strong random value. Throw an error on startup if not configured. Use cryptographically strong random strings (minimum 256 bits).\n\n### Notes\nThe Express session secret defaults to the string \u0027flowise\u0027 when EXPRESS_SESSION_SECRET is not set (line 55). This secret is used to sign session cookies via express-session middleware. Since \u0027flowise\u0027 is publicly visible in the source code, an attacker can forge valid session cookies to impersonate any user without authentication. The .env.example file has this commented out (# EXPRESS_SESSION_SECRET=flowise), implying it\u0027s optional, which compounds the risk. Unlike development-only defaults, this code path is active in production if the environment variable is not set. The application should require EXPRESS_SESSION_SECRET to be explicitly configured with a cryptographically strong random value and fail to start otherwise.",
"id": "GHSA-2qqc-p94c-hxwh",
"modified": "2026-04-16T21:22:00Z",
"published": "2026-04-16T21:22:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2qqc-p94c-hxwh"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Flowise: Weak Default Express Session Secret"
}
GHSA-2QQR-7RG8-6QMH
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist.
{
"affected": [],
"aliases": [
"CVE-2021-33220"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist.",
"id": "GHSA-2qqr-7rg8-6qmh",
"modified": "2022-05-24T19:07:00Z",
"published": "2022-05-24T19:07:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33220"
},
{
"type": "WEB",
"url": "https://korelogic.com/advisories.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/73"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2R4P-GW5X-3P8W
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11General Electric (GE) Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware before 5.5.0 and ML810, ML3000, and ML3100 switches with firmware before 5.5.0k have hardcoded credentials, which allows remote attackers to modify configuration settings via the web interface.
{
"affected": [],
"aliases": [
"CVE-2016-2310"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-06-09T10:59:00Z",
"severity": "CRITICAL"
},
"details": "General Electric (GE) Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware before 5.5.0 and ML810, ML3000, and ML3100 switches with firmware before 5.5.0k have hardcoded credentials, which allows remote attackers to modify configuration settings via the web interface.",
"id": "GHSA-2r4p-gw5x-3p8w",
"modified": "2022-05-13T01:11:18Z",
"published": "2022-05-13T01:11:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2310"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2R5H-7MQ7-4Q8V
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4.72 for Android, hardcoded SecretKey and iv variables are used for the AES parameters, which makes it easier for attackers to obtain the cleartext of stored diary entries.
{
"affected": [],
"aliases": [
"CVE-2017-15582"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-27T20:29:00Z",
"severity": "HIGH"
},
"details": "In net.MCrypt in the \"Diary with lock\" (aka WriteDiary) application 4.72 for Android, hardcoded SecretKey and iv variables are used for the AES parameters, which makes it easier for attackers to obtain the cleartext of stored diary entries.",
"id": "GHSA-2r5h-7mq7-4q8v",
"modified": "2022-05-13T01:43:47Z",
"published": "2022-05-13T01:43:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15582"
},
{
"type": "WEB",
"url": "https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.html"
},
{
"type": "WEB",
"url": "https://gist.github.com/anonymous/603b89f864a71426042b167cab557efa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2R6P-73Q6-355Q
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-09-17 15:30Use of Hard-coded Credentials vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5 and newer versions
{
"affected": [],
"aliases": [
"CVE-2024-48842"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T15:15:41Z",
"severity": "HIGH"
},
"details": "Use of Hard-coded Credentials vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5 and newer versions",
"id": "GHSA-2r6p-73q6-355q",
"modified": "2025-09-17T15:30:39Z",
"published": "2025-09-17T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48842"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7121\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2R8F-CF6W-X5VQ
Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-05-11 16:21Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-c8m8-3jcr-6rj5. This link is maintained to preserve external references.
Original Description
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fuxa-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T19:22:50Z",
"nvd_published_at": "2026-02-03T18:16:17Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-c8m8-3jcr-6rj5. This link is maintained to preserve external references.\n\n### Original Description\nFUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.",
"id": "GHSA-2r8f-cf6w-x5vq",
"modified": "2026-05-11T16:21:54Z",
"published": "2026-02-03T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69971"
},
{
"type": "PACKAGE",
"url": "https://github.com/frangoteam/FUXA"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: FUXA contains a hard-coded credential vulnerability",
"withdrawn": "2026-05-11T16:21:54Z"
}
GHSA-2R9P-58G6-HVJ9
Vulnerability from github – Published: 2022-04-30 18:14 – Updated: 2022-04-30 18:14The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
{
"affected": [],
"aliases": [
"CVE-2000-1139"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-01-09T05:00:00Z",
"severity": "HIGH"
},
"details": "The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the \"Exchange User Account\" vulnerability.",
"id": "GHSA-2r9p-58g6-hvj9",
"modified": "2022-04-30T18:14:58Z",
"published": "2022-04-30T18:14:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2000-1139"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-088"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/5537"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/1958"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2V5C-7G3G-HFX3
Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-26 12:30The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation.
{
"affected": [],
"aliases": [
"CVE-2025-59096"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T10:16:07Z",
"severity": "MODERATE"
},
"details": "The default password for the extended admin user mode in the application U9ExosAdmin.exe (\"Kaba 9300 Administration\") is hard-coded in multiple locations as well as documented in the locally stored user documentation.",
"id": "GHSA-2v5c-7g3g-hfx3",
"modified": "2026-01-26T12:30:28Z",
"published": "2026-01-26T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59096"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dkexos"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dormakaba"
},
{
"type": "WEB",
"url": "https://www.dormakabagroup.com/en/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2V7G-R6QX-CV4H
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13.
{
"affected": [],
"aliases": [
"CVE-2019-5137"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-25T16:15:00Z",
"severity": "MODERATE"
},
"details": "The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13.",
"id": "GHSA-2v7g-r6qx-cv4h",
"modified": "2022-05-24T17:09:36Z",
"published": "2022-05-24T17:09:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5137"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.