Skip to main content

Vantage6

4 CVEs product

Monthly

CVE-2026-54533 PyPI MEDIUM PATCH This Month

Improper access control in vantage6 nodes prior to version 5.0.0 allows malicious algorithm containers to read input and output files belonging to other algorithms running on the same node. This directly undermines the core privacy guarantee of the platform - a federated learning infrastructure explicitly designed for privacy-preserving analysis - by exposing sensitive intermediate data to adversarially crafted algorithms. No public exploit has been identified at time of analysis, and a patch is available in version 5.0.0.

Authentication Bypass Vantage6
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54445 PyPI MEDIUM PATCH This Month

Default hardcoded admin credentials in vantage6 expose servers running versions prior to 5.0.0 to unauthorized administrative access by any network-accessible attacker who attempts the well-known username 'root' and password 'root'. The vantage6 server initializes with this superuser account on first deployment, and administrators who fail to change or delete it leave a predictable, trivially exploitable entry point. While not confirmed actively exploited (no CISA KEV listing), the predictability of the credential pair and the sensitivity of vantage6's federated privacy-preserving analytics data make this a meaningful operational risk for unpatched deployments.

Information Disclosure Vantage6
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-43866 PyPI HIGH PATCH This Week

vantage6 servers auto-generate JWT secret keys using UUID1, a predictable algorithm that lacks cryptographic strength, allowing attackers to forge authentication tokens and gain unauthorized access to the privacy-preserving analysis platform. This affects all vantage6 versions prior to 4.11.0 where users have not manually defined a strong JWT secret. The vulnerability has a CVSS score of 7.5 with high confidentiality impact, as attackers can impersonate legitimate users without needing privileges or user interaction.

Authentication Bypass Python Information Disclosure Vantage6
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43863 PyPI CRITICAL PATCH Act Now

Critical authentication bypass vulnerability in vantage6 (an open-source federated learning and privacy-enhancing technology framework) that allows attackers with valid authenticated session access to brute-force user passwords through the change password endpoint without rate limiting or account lockout protections. An attacker can enumerate passwords infinitely by calling the password change route repeatedly, receiving detailed error messages indicating password correctness. The vulnerability affects vantage6 versions prior to 4.11 and carries a CVSS score of 9.8 (critical severity).

Information Disclosure Vantage6
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Improper access control in vantage6 nodes prior to version 5.0.0 allows malicious algorithm containers to read input and output files belonging to other algorithms running on the same node. This directly undermines the core privacy guarantee of the platform - a federated learning infrastructure explicitly designed for privacy-preserving analysis - by exposing sensitive intermediate data to adversarially crafted algorithms. No public exploit has been identified at time of analysis, and a patch is available in version 5.0.0.

Authentication Bypass Vantage6
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Default hardcoded admin credentials in vantage6 expose servers running versions prior to 5.0.0 to unauthorized administrative access by any network-accessible attacker who attempts the well-known username 'root' and password 'root'. The vantage6 server initializes with this superuser account on first deployment, and administrators who fail to change or delete it leave a predictable, trivially exploitable entry point. While not confirmed actively exploited (no CISA KEV listing), the predictability of the credential pair and the sensitivity of vantage6's federated privacy-preserving analytics data make this a meaningful operational risk for unpatched deployments.

Information Disclosure Vantage6
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

vantage6 servers auto-generate JWT secret keys using UUID1, a predictable algorithm that lacks cryptographic strength, allowing attackers to forge authentication tokens and gain unauthorized access to the privacy-preserving analysis platform. This affects all vantage6 versions prior to 4.11.0 where users have not manually defined a strong JWT secret. The vulnerability has a CVSS score of 7.5 with high confidentiality impact, as attackers can impersonate legitimate users without needing privileges or user interaction.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Critical authentication bypass vulnerability in vantage6 (an open-source federated learning and privacy-enhancing technology framework) that allows attackers with valid authenticated session access to brute-force user passwords through the change password endpoint without rate limiting or account lockout protections. An attacker can enumerate passwords infinitely by calling the password change route repeatedly, receiving detailed error messages indicating password correctness. The vulnerability affects vantage6 versions prior to 4.11 and carries a CVSS score of 9.8 (critical severity).

Information Disclosure Vantage6
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy