Skip to main content

Helix Core Server CVE-2026-6043

| EUVDEUVD-2026-25415 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-04-24 Perforce GHSA-rv45-r523-m576
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 28, 2026 - 13:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 14:00 vuln.today
CVSS changed
Apr 24, 2026 - 12:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 11:30 euvd
EUVD-2026-25415
Analysis Generated
Apr 24, 2026 - 11:30 vuln.today
CVE Published
Apr 24, 2026 - 11:02 nvd
HIGH 8.8

DescriptionCVE.org

P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release enforces secure-by-default

AnalysisAI

Helix Core Server (P4D) before 2026.1 ships with insecure default configurations allowing remote unauthenticated attackers to create arbitrary user accounts, enumerate users, authenticate without passwords, and access repository contents via the built-in 'remote' user. EPSS score of 0.06% (19th percentile) suggests low observed exploitation attempts despite the high CVSS 8.8 score and SSVC classification as automatable with partial impact. No active exploitation confirmed (not in CISA KEV). Perforce reports this as vendor-disclosed with secure-by-default enforced in version 2026.1.

Technical ContextAI

Helix Core Server (P4D) is Perforce's version control system for enterprise source code and digital asset management. The vulnerability stems from CWE-1188 (Initialization of a Resource with an Insecure Default Value), where multiple security-relevant server configurables ship in permissive states: user account self-provisioning enabled, user enumeration allowed, passwordless authentication permitted for certain accounts, and the built-in 'remote' user account configured with depot access. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms network-accessible exploitation with no attack complexity, no required privileges, and no user interaction. The VC:H/VI:L ratings indicate high confidentiality impact (source code exposure) with low integrity impact (limited write capabilities). CPE cpe:2.3:a:perforce:helix_core_server_(p4d):*:*:*:*:*:*:*:* identifies all versions prior to 2026.1 as affected. EUVD data confirms version range 0 through 2025.2 vulnerable. The combination of default settings creates a compound weakness where each insecure default amplifies the others.

RemediationAI

Upgrade to Helix Core Server (P4D) version 2026.1 or later, which enforces secure-by-default configuration per vendor advisory at https://portal.perforce.com/s/cve/a91Qi000002wRUvIAM and documentation at https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/secure-by-default-overview.html. For environments unable to upgrade immediately, implement compensating controls: (1) Disable unauthenticated user creation by setting the 'dm.user.noautocreate' configurable to 2, preventing arbitrary account creation but breaking workflows that rely on self-service provisioning. (2) Require passwords for all accounts by auditing user list with 'p4 users' and setting passwords with 'p4 passwd', though this requires manual administration overhead. (3) Remove or restrict the built-in 'remote' user via 'p4 protect' table modifications, noting this may break replication or edge server configurations. (4) Restrict network access to P4 server port (default 1666) using firewall rules to trusted IP ranges only, which is the most effective short-term control but requires accurate IP allow-listing and breaks remote developer access. Review security configurables per https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/security-configurables.html to harden remaining settings. Each workaround trades operational convenience for security and may require process changes.

Share

CVE-2026-6043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy