Skip to main content

Chef 360 EUVDEUVD-2026-37956

| CVE-2026-8668 LOW
Unprotected Transport of Credentials (CWE-523)
2026-06-18 ProgressSoftware GHSA-2q9w-rh4f-g84j
2.3
CVSS 4.0 · Vendor: ProgressSoftware

Severity by source

Vendor (ProgressSoftware) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:L/U:X
vuln.today AI
7.5 HIGH

PR:N because the static credential is the authentication mechanism itself; S:C and C:H reflect cross-tenant confidentiality breach via message queue.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L

Primary rating from Vendor (ProgressSoftware).

CVSS VectorVendor: ProgressSoftware

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:L/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
N

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 23:16 EUVD
Analysis Generated
Jun 18, 2026 - 22:20 vuln.today

DescriptionCVE.org

A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues.  Queue messages contained tenant-specific identifiers.  The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.

AnalysisAI

Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Chef 360 software copy
Delivery
Extract hardcoded message queue credential
Exploit
Reach internal queue endpoint over network
Execution
Authenticate using static credential
Persist
Read queued messages
Impact
Harvest cross-tenant identifiers

Vulnerability AssessmentAI

Exploitation The vulnerability requires network reachability to the Chef 360 internal message queue endpoint - exploitation is only possible from a network position that can reach this service, which is typically an internal or cloud-internal network segment rather than the public internet. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 2.3 significantly understates real-world risk when all signals are considered together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the Chef 360 message queue endpoint extracts the hardcoded credential from a copy of the Chef 360 software or from public disclosure, then authenticates to the queue directly using that credential. Once connected, the attacker reads queued messages to harvest tenant-specific identifiers, enabling cross-tenant reconnaissance or targeted follow-on attacks against individual tenants. …
Remediation Vendor-released patch: Chef 360 v1.7.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy