Skip to main content

AutoBangumi CVE-2026-58466

| EUVDEUVD-2026-41435 CRITICAL
Use of Default Credentials (CWE-1392)
2026-07-02 VulnCheck GHSA-q3h2-6968-258w
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Publicly known default credentials give unauthenticated network login (PR:N/UI:N/AC:L) yielding full admin control over config and data, so C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:35 vuln.today
CVSS changed
Jul 02, 2026 - 20:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)

DescriptionCVE.org

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

AnalysisAI

Authentication bypass via hard-coded default credentials in AutoBangumi before 3.2.8 lets unauthenticated remote attackers log in as administrator using publicly known credentials that the application seeds at startup via add_default_user() whenever the users table is empty. Successful login grants full control over RSS feed and downloader configuration and every authenticated API endpoint (CVSS 4.0 9.3). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed AutoBangumi login
Delivery
Submit known default credentials
Exploit
Authenticate as administrator
Execution
Reconfigure RSS/downloader and API
Impact
Full application takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that AutoBangumi be running a version before 3.2.8 and that the default administrator account seeded by add_default_user() still be present with its known credentials - this occurs whenever the users table was empty at startup (fresh install or reset) and the operator never replaced the default admin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated CVSS number. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed AutoBangumi instance (e.g. via port/service scanning), submits the publicly known default administrator credentials to the login endpoint, and is authenticated as admin. …
Remediation Upgrade to AutoBangumi 3.2.8 or later, which contains the fix (Vendor-released patch: 3.2.8; release https://github.com/EstrellaXD/Auto_Bangumi/releases/tag/3.2.8, patch commit 487bdfec545e805ae416e6ddf28651bd274d6a73). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

**24 hours**: Conduct inventory of all AutoBangumi instances and document versions; immediately isolate or disable any running versions prior to 3.2.8. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy