vantage6
CVE-2026-54445
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible login with publicly known default credentials; attacker needs no prior privileges, but impact is limited to low confidentiality, integrity, and availability per the CVSS 4.0 baseline.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 3 pypi packages depend on vantage6 (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.0.0.
DescriptionCVE.org
vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username root and password root. This is not ideal because attackers know that almost all vantage6 servers have a user with username root that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the root user after it has been used to create other users.
AnalysisAI
Default hardcoded admin credentials in vantage6 expose servers running versions prior to 5.0.0 to unauthorized administrative access by any network-accessible attacker who attempts the well-known username 'root' and password 'root'. The vantage6 server initializes with this superuser account on first deployment, and administrators who fail to change or delete it leave a predictable, trivially exploitable entry point. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two conditions: (1) the vantage6 server must be reachable over the network, and (2) the administrator must not have changed the default 'root' password or deleted the root user account after initial deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects that the attack requires no prior authentication and no special conditions on the attacker's side, and is executable from the network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers an internet-facing vantage6 server - trivially via Shodan or targeted reconnaissance against known federated analytics deployments - and submits an authentication request with username 'root' and password 'root'. If the default credentials remain unchanged, the attacker gains full administrative access to the vantage6 server, including the ability to read federated datasets, modify analysis configurations, or create backdoor accounts. … |
| Remediation | The primary fix is to upgrade to vantage6 5.0.0 or later, which resolves the issue by requiring the initial root password to be supplied via environment variable or configuration rather than using a hardcoded default. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Critical authentication bypass vulnerability in vantage6 (an open-source federated learning and privacy-enhancing techno
vantage6 servers auto-generate JWT secret keys using UUID1, a predictable algorithm that lacks cryptographic strength, a
Improper access control in vantage6 nodes prior to version 5.0.0 allows malicious algorithm containers to read input and
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today