CVE-2026-54445
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Summary
vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username root and password root. This is not ideal because attackers know that almost all vantage6 servers have a user with username root that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the root user after it has been used to create other users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vantage6 | vantage6 | < 5.0.0 | affected |
Weaknesses
- CWE-204: CWE-204: Observable Response Discrepancy
- CWE-1393: CWE-1393: Use of Default Password
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/vantage6/vantage6/security/advisories/GHSA-fgmc-2hqj-86v4
- https://github.com/vantage6/vantage6/issues/1932
- https://github.com/vantage6/vantage6/blob/main/docs/release_notes.rst#500
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.