CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54445

mediumcovered by 1 sourcefirst seen 2026-06-05
Impact Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights - The initial password is very weak and it is possible that administrators forget to reset it. Patches No Workarounds It is possible to delete the root user after it has been used to create other users References We could consider doing this like mongodb Additional info Luis uses the following patch to mitigate it: diff --git a/vantage6-server/vantage6/server/init.py b/vantage6-server/vantage6/server/init.py index ea362c1e..c6dcbbd9 100644 --- a/vantage6-server/vantage6/server/init.py +++ b/vantage6-server/vantage6/server/init.py @@ -618,18 +618,30 @@ class ServerApp: TODO use constant instead of 'Root' literal root = db.Role.get_by_name("Root") - log.warn( - f"Creating root user: " - f"username={SUPER_USER_INFO['username']}, " - f"password={SUPER_USER_INFO['password']}" - ) - # Temporary patch - # read initial root password from file (docker secret) if provided - # TODO: This is a workaround so we don't have an insecure vserver - # at the start. Ideally, we would provide an already hashed - # password. But as hashing is implemented via @validates on - # the field 'password', there isn't a nice way around this. - if os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE"): - with open( - os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE") - ) as password_file: - initial_root_password = password_file.read().strip() - log.info( - f"Creating root user with password provided via V6_INITIAL_ROOT_PASSWORD_FILE" - ) - else: - initial_root_password = SUPER_USER_INFO["password"] - log.warn(f"Creating root user with default credentials!") user = db.User( username=SUPER_USER_INFO["username"], roles=[root], organization=org, email="root@domain.ext", - password=SUPER_USER_INFO["password"], - password=initial_root_password, failed_login_atte

⚡ Watch CVE-2026-54445

Get an email if CVE-2026-54445 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54445

CVE.org record

Embed the live status

CVE-2026-54445 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54445 status](https://www.csirts.com/badge/CVE-2026-54445)](https://www.csirts.com/cve/CVE-2026-54445)