Description
P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations
Published: 2026-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to source code repositories
Action: Apply Patch
AI Analysis

Impact

P4 Server versions before 2026.1 run with insecure default settings that enable an unauthenticated attacker to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password, and access depot contents via the built‑in "remote" user. These combined capabilities can provide an attacker full, unauthorized access to source code repositories and related assets.

Affected Systems

The affected product is Perforce Helix Core Server (P4D). All releases prior to version 2026.1 are vulnerable. Administrators of any earlier installation should verify the version and plan remediation accordingly.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity flaw, yet the EPSS score of less than 1% suggests that exploitation is unlikely at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is over an untrusted network, where an adversary can communicate with the P4D server without authentication. Exploitation requires the insecure default configuration to be present; no local privilege escalation or additional software vulnerability is required beyond the defaults.

Generated by OpenCVE AI on April 28, 2026 at 06:54 UTC.

Remediation

Vendor Solution

Upgrade to P4 Server (P4D) version 2026.1 or later, expected in May 2026, which enforces secure-by-default configurations on both new installations and upgrades.

Vendor Workaround

For installations that cannot immediately upgrade to 2026.1, administrators should apply manual hardening by configuring security-related server settings as documented at https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/security-configurables.html.

OpenCVE Recommended Actions

  • Upgrade to P4 Server (P4D) version 2026.1 or later, which enforces secure-by-default configurations on new installations and upgrades.
  • If immediate upgrade is not feasible, manually harden the server by configuring security‑related settings as documented in the Perforce guidance for secure configurations.
  • Restrict the P4D server’s exposure to trusted networks or apply firewall rules to block unauthenticated access from untrusted hosts.

Generated by OpenCVE AI on April 28, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
References

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release enforces secure-by-default P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations

Fri, 24 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release enforces secure-by-default
Title Insecure Default Configuration in P4 Server
First Time appeared Perforce
Perforce helix Core Server P4d
Weaknesses CWE-1188
CPEs cpe:2.3:a:perforce:helix_core_server_p4d_:*:*:*:*:*:*:*:*
Vendors & Products Perforce
Perforce helix Core Server P4d
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Perforce Helix Core Server P4d
cve-icon MITRE

Status: PUBLISHED

Assigner: Perforce

Published:

Updated: 2026-04-28T12:12:01.630Z

Reserved: 2026-04-09T17:45:51.571Z

Link: CVE-2026-6043

cve-icon Vulnrichment

Updated: 2026-04-24T12:01:57.679Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-24T12:17:07.660

Modified: 2026-04-28T13:19:22.913

Link: CVE-2026-6043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:00:09Z

Weaknesses