Skip to main content

vantage6 CVE-2026-54445

MEDIUM
Observable Response Discrepancy (CWE-204)
2026-06-17 GitHub_M
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-accessible login with publicly known default credentials; attacker needs no prior privileges, but impact is limited to low confidentiality, integrity, and availability per the CVSS 4.0 baseline.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 23:07 vuln.today
Analysis Generated
Jun 17, 2026 - 23:07 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 pypi packages depend on vantage6 (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.0.0.

DescriptionCVE.org

vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username root and password root. This is not ideal because attackers know that almost all vantage6 servers have a user with username root that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the root user after it has been used to create other users.

AnalysisAI

Default hardcoded admin credentials in vantage6 expose servers running versions prior to 5.0.0 to unauthorized administrative access by any network-accessible attacker who attempts the well-known username 'root' and password 'root'. The vantage6 server initializes with this superuser account on first deployment, and administrators who fail to change or delete it leave a predictable, trivially exploitable entry point. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-accessible vantage6 server
Delivery
Submit login with root/root credentials
Exploit
Obtain authenticated admin session
Execution
Access or exfiltrate federated analysis data
Impact
Create persistent backdoor admin account

Vulnerability AssessmentAI

Exploitation Exploitation requires two conditions: (1) the vantage6 server must be reachable over the network, and (2) the administrator must not have changed the default 'root' password or deleted the root user account after initial deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects that the attack requires no prior authentication and no special conditions on the attacker's side, and is executable from the network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-facing vantage6 server - trivially via Shodan or targeted reconnaissance against known federated analytics deployments - and submits an authentication request with username 'root' and password 'root'. If the default credentials remain unchanged, the attacker gains full administrative access to the vantage6 server, including the ability to read federated datasets, modify analysis configurations, or create backdoor accounts. …
Remediation The primary fix is to upgrade to vantage6 5.0.0 or later, which resolves the issue by requiring the initial root password to be supplied via environment variable or configuration rather than using a hardcoded default. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy