GHSA-fgmc-2hqj-86v4: Vantage6: Set admin user and password from environment or configuration
Impact
Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons:
- Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights
- The initial password is very weak and it is possible that administrators forget to reset it.
Patches
No
Workarounds
It is possible to delete the root user after it has been used to create other users
References
We could consider doing this like mongodb
Additional info
Luis uses the following patch to mitigate it:
diff --git a/vantage6-server/vantage6/server/init.py b/vantage6-server/vantage6/server/init.py
index ea362c1e..c6dcbbd9 100644
--- a/vantage6-server/vantage6/server/init.py
+++ b/vantage6-server/vantage6/server/init.py
@@ -618,18 +618,30 @@ class ServerApp:
TODO use constant instead of 'Root' literal
root = db.Role.get_by_name("Root")
- log.warn(
- f"Creating root user: "
- f"username={SUPER_USER_INFO['username']}, "
- f"password={SUPER_USER_INFO['password']}"
- )
- # Temporary patch
- # read initial root password from file (docker secret) if provided
- # TODO: This is a workaround so we don't have an insecure vserver
- # at the start. Ideally, we would provide an already hashed
- # password. But as hashing is implemented via @validates on
- # the field 'password', there isn't a nice way around this.
- if os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE"):
- with open(
- os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE")
- ) as password_file:
- initial_root_password = password_file.read().strip()
- log.info(
- f"Creating root user with password provided via V6_INITIAL_ROOT_PASSWORD_FILE"
- )
- else:
- initial_root_password = SUPER_USER_INFO["password"]
- log.warn(f"Creating root user with default credentials!")
user = db.User(
username=SUPER_USER_INFO["username"],
roles=[root],
organization=org,
email="root@domain.ext",
- password=SUPER_USER_INFO["password"],
- password=initial_root_password,
failed_login_atte
Details
Original advisory: https://github.com/advisories/GHSA-fgmc-2hqj-86v4
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-544450.29% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 21% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-54445 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10