Skip to main content

NornicDB CVE-2026-42072

| EUVDEUVD-2026-28808 CRITICAL
Use of Default Credentials (CWE-1392)
2026-05-08 GitHub_M GHSA-2hp7-65r3-wv54
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 08, 2026 - 18:03 EUVD
Source Code Evidence Fetched
May 08, 2026 - 17:01 vuln.today
Analysis Generated
May 08, 2026 - 17:01 vuln.today
CVE Published
May 08, 2026 - 15:59 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database - with its default admin:password credentials - to any device sharing the network. This issue has been patched in version 1.0.42-hotfix.

AnalysisAI

NornicDB's Bolt server binds to all network interfaces (0.0.0.0) regardless of the --address CLI flag or server.host configuration, exposing the graph database with default admin:password credentials to any device on the same LAN. The HTTP server correctly honors bind address restrictions, but a configuration plumbing bug prevents the Bolt protocol listener from reading the intended host parameter. Vendor-released patch available in version 1.0.42-hotfix addresses the underlying CWE-1392 (Improper Binding of Resource to Another Sphere) by adding Host field to Bolt configuration and wiring the resolveBindAddress() function to both protocol listeners. GitHub security advisory GHSA-2hp7-65r3-wv54 confirms the vulnerability with reproduction steps showing netstat evidence of wildcard binding despite localhost configuration.

Technical ContextAI

NornicDB is a distributed graph+vector database supporting Cypher queries over the Bolt protocol (default port 7687, Neo4j-compatible wire format) and HTTP (port 7474). The vulnerability stems from incomplete parameter passing in the Go codebase: the cmd/nornicdb/main.go CLI parser captures the --address flag (backed by NORNICDB_ADDRESS environment variable and server.host config key) and correctly applies it to the HTTP server via serverConfig.Address, but never initializes the corresponding field in boltConfig before calling bolt.Server.ListenAndServe(). The Bolt server's pkg/bolt/server.go:774 constructs the listen address as fmt.Sprintf(":%d", s.config.Port) - with an empty host component - causing Go's net.Listen() to bind the IPv4/IPv6 wildcard address (0.0.0.0 / ::). This is a textbook example of CWE-1392 (Improper Binding of Resource to Another Sphere): the intended security boundary (localhost-only binding) is violated because configuration intended for one subsystem (HTTP) fails to propagate to another (Bolt). The affected component is cpe:2.3:a:orneryd:nornicdb:*:*:*:*:*:*:*:* versions prior to 1.0.42-hotfix.

RemediationAI

Upgrade to NornicDB version 1.0.42-hotfix, released at https://github.com/orneryd/NornicDB/releases/tag/v1.0.42 and patched via commit adce4f9a9fc7b6aada07c0bfa2d737cd7a6efaca. The fix introduces a resolveBindAddress() function that correctly propagates the --address CLI flag, NORNICDB_ADDRESS environment variable, and server.host/server.boltAddress config keys to both HTTP and Bolt listeners, along with unit tests verifying precedence rules. If immediate patching is not feasible, implement these compensating controls in order of effectiveness: (1) Deploy firewall rules restricting TCP port 7687 (Bolt) to only localhost/127.0.0.1 connections - this fully mitigates the wildcard binding by blocking external access, though it may break legitimate remote client connections if your architecture requires them; (2) Change default credentials immediately via NornicDB's user management interface (consult vendor documentation for credential rotation procedure) - this reduces exposure from authentication bypass to credential brute-force, but does not fix the underlying binding issue; (3) Network segmentation isolating NornicDB servers onto dedicated VLANs/subnets with strict ACLs - effective for cloud/datacenter deployments but impractical for laptop-based development environments. Note that setting NORNICDB_BOLT_ADDRESS or server.host in config.yaml has NO effect on vulnerable versions due to the plumbing bug, so configuration-based workarounds are insufficient. The patch has no known side effects or breaking changes based on the commit diff review.

Share

CVE-2026-42072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy