Skip to main content

CWE-798

Use of Hard-coded Credentials

1151 CVEs Avg CVSS 8.5 MITRE
581
CRITICAL
369
HIGH
181
MEDIUM
13
LOW
369
POC
7
KEV

Monthly

CVE-2026-61684 HIGH This Week

Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugin reverse-call endpoints, because /api/invoke/* trusts tokens signed with INVOKE_TOKEN_SECRET whose default value is the literal string 'token' and which official deployment templates never set. By self-signing an HS256 JWT, an attacker can call /api/invoke/userInfo to read cross-tenant user PII via arbitrary tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. No public exploit identified at time of analysis and not listed in CISA KEV, but the trivial exploitation and hardcoded-secret root cause make this high priority for self-hosted deployments.

Authentication Bypass Fastgpt
NVD GitHub
CVSS 4.0
8.8
CVE-2026-37270 CRITICAL Act Now

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14807 CRITICAL Act Now

Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and the CWE-798 root cause make this a high-priority fix for any organization running this Taiwanese ERP product.

Authentication Bypass Erp App
NVD
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-13768 CRITICAL PATCH CISA Act Now

Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
9.5
EPSS
0.6%
CVE-2026-13728 MEDIUM This Month

WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.

Authentication Bypass Watchguard Fireware Os
NVD VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-49352 npm CRITICAL PATCH GHSA Act Now

Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.

Authentication Bypass OpenSSL
NVD GitHub
CVSS 3.1
9.8
CVE-2026-7839 CRITICAL Act Now

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can reach the HTTP administration port (default TCP 80) log in as administrator. On a fresh or unmodified install where settings2.txt is absent, the repeater writes the literal password 'adminadmi2', and the Basic-auth handler enforces no rate-limiting or lockout, so a single well-known credential yields full control over allow/deny rules and session visibility. Rated CVSS 9.1 (CWE-798); no public exploit identified at time of analysis, though the credential itself is disclosed in the advisory.

Authentication Bypass Ultravnc
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-50110 CRITICAL PATCH CISA Act Now

Credential exposure in StoneFly Storage Concentrator (SC) and its virtual machine variant (SCVM) lets an attacker recover plaintext credentials for numerous internal services from a configuration file where they are stored using reversible encoding rather than encryption. The hardcoded accounts cover databases, licensing, replication, and third-party integrations, so recovering them grants pivoting access across multiple interconnected systems. Reported to NVD via CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis and the vector is local (AV:L).

Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-56278 npm CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).

Authentication Bypass Flowise
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-31928 CRITICAL CISA Emergency

Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant full system access to anyone who knows the shipped account, because the devices do not force a credential change during setup or operation. Tracked as CWE-798 (use of hard-coded/default credentials) and rated CVSS 4.0 9.3 by ICS-CERT, this lets a network-positioned attacker log into the management interface and seize complete control of the device. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but default-credential weaknesses are trivially abused once the device is reachable.

Authentication Bypass Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVSS 8.8
HIGH This Week

Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugin reverse-call endpoints, because /api/invoke/* trusts tokens signed with INVOKE_TOKEN_SECRET whose default value is the literal string 'token' and which official deployment templates never set. By self-signing an HS256 JWT, an attacker can call /api/invoke/userInfo to read cross-tenant user PII via arbitrary tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. No public exploit identified at time of analysis and not listed in CISA KEV, but the trivial exploitation and hardcoded-secret root cause make this high priority for self-hosted deployments.

Authentication Bypass Fastgpt
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

Authentication Bypass N A
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and the CWE-798 root cause make this a high-priority fix for any organization running this Taiwanese ERP product.

Authentication Bypass Erp App
NVD
EPSS 1% CVSS 9.5
CRITICAL PATCH Act Now

Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.

Authentication Bypass Watchguard Fireware Os
NVD VulDB
CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.

Authentication Bypass OpenSSL
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can reach the HTTP administration port (default TCP 80) log in as administrator. On a fresh or unmodified install where settings2.txt is absent, the repeater writes the literal password 'adminadmi2', and the Basic-auth handler enforces no rate-limiting or lockout, so a single well-known credential yields full control over allow/deny rules and session visibility. Rated CVSS 9.1 (CWE-798); no public exploit identified at time of analysis, though the credential itself is disclosed in the advisory.

Authentication Bypass Ultravnc
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Credential exposure in StoneFly Storage Concentrator (SC) and its virtual machine variant (SCVM) lets an attacker recover plaintext credentials for numerous internal services from a configuration file where they are stored using reversible encoding rather than encryption. The hardcoded accounts cover databases, licensing, replication, and third-party integrations, so recovering them grants pivoting access across multiple interconnected systems. Reported to NVD via CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis and the vector is local (AV:L).

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).

Authentication Bypass Flowise
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Emergency

Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant full system access to anyone who knows the shipped account, because the devices do not force a credential change during setup or operation. Tracked as CWE-798 (use of hard-coded/default credentials) and rated CVSS 4.0 9.3 by ICS-CERT, this lets a network-positioned attacker log into the management interface and seize complete control of the device. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but default-credential weaknesses are trivially abused once the device is reachable.

Authentication Bypass Vfc Dmp 5000 Dmp 5000 +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy