Skip to main content

Chef360

2 CVEs product

Monthly

CVE-2026-8668 LOW PATCH Monitor

Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.

Information Disclosure Chef360
NVD VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-8100 HIGH PATCH This Week

Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. No public exploit identified at time of analysis, but the vendor advisory confirms the issue and a fixed release is available.

Authentication Bypass Chef360
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.

Information Disclosure Chef360
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. No public exploit identified at time of analysis, but the vendor advisory confirms the issue and a fixed release is available.

Authentication Bypass Chef360
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy