Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the `root` user after it has been used to create other users.
Published: 2026-06-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Vantage6 allows the creation of an initial administrative account with the username 'root' and the password 'root'. This weak default credential pair is hard‑coded, making it simple for an attacker who can reach the service to authenticate as a privileged user. Once authenticated, the attacker can perform any administrative operation, leading to a full compromise of the system.

Affected Systems

All Vantage6 deployments using versions prior to 5.0.0 are affected. The issue is fixed in release 5.0.0, which removes or changes the default credentials.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1 percent suggests that exploitations are currently rare. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote access to the Vantage6 API or web interface, enabling an attacker to authenticate instantly and gain full administrative control. No special prerequisites are required beyond network reachability.

Generated by OpenCVE AI on June 18, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Vantage6 version 5.0.0 or later to remove the vulnerable default credentials.
  • Delete the default 'root' account as soon as starting a new installation, or disable the account.
  • Create new administrative accounts with strong, unique passwords and enforce a password policy.

Generated by OpenCVE AI on June 18, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fgmc-2hqj-86v4 Vantage6: Set admin user and password from environment or configuration
History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Vantage6
Vantage6 vantage6
Vendors & Products Vantage6
Vantage6 vantage6

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the `root` user after it has been used to create other users.
Title Vantage6: Set admin user and password from environment or configuration
Weaknesses CWE-1393
CWE-204
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Vantage6 Vantage6
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T15:49:54.097Z

Reserved: 2026-06-15T15:30:40.317Z

Link: CVE-2026-54445

cve-icon Vulnrichment

Updated: 2026-06-18T15:49:50.541Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses