Skip to main content

navify Digital Pathology CVE-2026-9844

| EUVDEUVD-2026-33923 HIGH
Use of Default Credentials (CWE-1392)
2026-06-02 5cdcf916-2b10-4ec8-bfc1-d054821e439e GHSA-p3m3-2jc5-vvp6
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
N

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 14:33 vuln.today

DescriptionCVE.org

Use of default credentials vulnerability in Roche Diagnostics navify Digital Pathology (RabbitMQ Management interface modules) allows Default Usernames and Passwords. This issue affects navify Digital Pathology: from 2.0.0 before 2.4.1.

AnalysisAI

Default credential exposure in Roche Diagnostics navify Digital Pathology (versions 2.0.0 through 2.4.0) lets remote unauthenticated attackers log into the embedded RabbitMQ Management interface using factory-shipped usernames and passwords. CVSS 4.0 rates the issue 8.8 with network attack vector and no privileges required, and no public exploit identified at time of analysis. Successful access exposes message-broker administration, enabling data interception, queue manipulation, and downstream tampering with pathology workflows.

Technical ContextAI

navify Digital Pathology is Roche's cloud/edge platform for whole-slide image management and AI-assisted diagnostic review. It bundles RabbitMQ as the asynchronous messaging backbone between ingestion, analysis, and reporting microservices, and exposes the RabbitMQ Management plugin (HTTP API and web UI, typically on port 15672) for operational control. CWE-1392 (Use of Default Credentials) describes shipping products with predictable built-in accounts that operators are not forced to change at deployment; in RabbitMQ's case the canonical default is the 'guest/guest' administrator, intended for loopback-only use but frequently reachable on bound interfaces in containerized or appliance deployments.

RemediationAI

Upgrade navify Digital Pathology to version 2.4.1 or later, which Roche identifies as the fixed release line; consult the Roche product security advisory at https://diagnostics.roche.com/global/en/legal/product-security-advisory.html for the per-tenant patch procedure. As compensating controls until the upgrade is rolled out, rotate the RabbitMQ management credentials to strong unique values and disable the default 'guest' account (side effect: any internal automation still hardcoded to guest/guest will break and must be re-credentialed), restrict the RabbitMQ management plugin to listen only on loopback or a management VLAN by setting management.tcp.ip in rabbitmq.conf, and block ingress to ports 15672/15671 (and 5672/5671 if AMQP is similarly exposed) at the network boundary so the broker is reachable only from trusted application tiers. Audit RabbitMQ access logs for prior logins by default accounts to confirm whether exploitation has already occurred.

Share

CVE-2026-9844 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy