Skip to main content

Tyler Identity Local EUVDEUVD-2026-30937

| CVE-2026-44159 CRITICAL
Use of Default Credentials (CWE-1392)
2026-05-19 cisa-cg GHSA-fmqc-2w48-qp8r
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Updated
May 19, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 15:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
May 19, 2026 - 15:00 vuln.today

DescriptionCVE.org

Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021.

AnalysisAI

Use of default administrative credentials in Tyler Identity Local (TID-L) allows remote unauthenticated attackers to gain full administrative access to affected deployments. The credentials are publicly documented and users are not forced to change them at install time, and because the product was discontinued in December 2020 and unsupported since 2021, no vendor patch is available. CVSS 4.0 rates this 9.3 (Critical); no public exploit identified at time of analysis and the issue is not in CISA KEV.

Technical ContextAI

Tyler Identity Local (TID-L) is an on-premises identity/authentication component from Tyler Technologies historically used by state and local government customers. The flaw maps to CWE-1392 (Use of Default Credentials), a configuration weakness in which the vendor ships fixed, publicly documented administrator credentials and does not enforce a change-on-first-use workflow. Per the CPE string cpe:2.3:a:tyler_technologies:tid-l:*:*:*:*:*:*:*:*, every version of the TID-L application is in scope. The reporting source (cisa-cg, the CISA Coordinated Disclosure / Cybersecurity Advisory program) and the referenced CSAF advisory (va-26-138-01) indicate this was disclosed through coordinated vulnerability disclosure rather than independent research.

RemediationAI

No vendor-released patch identified at time of analysis - TID-L is end-of-life and end-of-support, so the only durable remediation is to decommission TID-L and migrate to a supported Tyler identity offering or another modern IdP, coordinating with Tyler Technologies per the CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-138-01.json. As immediate compensating controls until migration completes, change the documented default administrative credentials to a long random secret (recognizing this is unsupported and may break vendor-prescribed flows), place the TID-L management interface behind a VPN or restrict it via firewall ACL to a small admin jump-host subnet so it is not reachable from the internet or general user network (trade-off: legitimate remote admin workflows must move through the bastion), and enable network-layer logging on access to TID-L endpoints to detect credential-use attempts. Audit downstream applications that trust TID-L for authentication and prepare to revoke that trust during cutover to limit blast radius if the credential is used before decommissioning.

Share

EUVD-2026-30937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy