Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release enforces secure-by-default
AnalysisAI
Helix Core Server (P4D) before 2026.1 ships with insecure default configurations allowing remote unauthenticated attackers to create arbitrary user accounts, enumerate users, authenticate without passwords, and access repository contents via the built-in 'remote' user. EPSS score of 0.06% (19th percentile) suggests low observed exploitation attempts despite the high CVSS 8.8 score and SSVC classification as automatable with partial impact. No active exploitation confirmed (not in CISA KEV). Perforce reports this as vendor-disclosed with secure-by-default enforced in version 2026.1.
Technical ContextAI
Helix Core Server (P4D) is Perforce's version control system for enterprise source code and digital asset management. The vulnerability stems from CWE-1188 (Initialization of a Resource with an Insecure Default Value), where multiple security-relevant server configurables ship in permissive states: user account self-provisioning enabled, user enumeration allowed, passwordless authentication permitted for certain accounts, and the built-in 'remote' user account configured with depot access. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms network-accessible exploitation with no attack complexity, no required privileges, and no user interaction. The VC:H/VI:L ratings indicate high confidentiality impact (source code exposure) with low integrity impact (limited write capabilities). CPE cpe:2.3:a:perforce:helix_core_server_(p4d):*:*:*:*:*:*:*:* identifies all versions prior to 2026.1 as affected. EUVD data confirms version range 0 through 2025.2 vulnerable. The combination of default settings creates a compound weakness where each insecure default amplifies the others.
RemediationAI
Upgrade to Helix Core Server (P4D) version 2026.1 or later, which enforces secure-by-default configuration per vendor advisory at https://portal.perforce.com/s/cve/a91Qi000002wRUvIAM and documentation at https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/secure-by-default-overview.html. For environments unable to upgrade immediately, implement compensating controls: (1) Disable unauthenticated user creation by setting the 'dm.user.noautocreate' configurable to 2, preventing arbitrary account creation but breaking workflows that rely on self-service provisioning. (2) Require passwords for all accounts by auditing user list with 'p4 users' and setting passwords with 'p4 passwd', though this requires manual administration overhead. (3) Remove or restrict the built-in 'remote' user via 'p4 protect' table modifications, noting this may break replication or edge server configurations. (4) Restrict network access to P4 server port (default 1666) using firewall rules to trusted IP ranges only, which is the most effective short-term control but requires accurate IP allow-listing and breaks remote developer access. Review security configurables per https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/security-configurables.html to harden remaining settings. Each workaround trades operational convenience for security and may require process changes.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25415
GHSA-rv45-r523-m576