Description
A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues.  Queue messages contained tenant-specific identifiers.  The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.
Published: 2026-06-18
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A static credential embedded in earlier versions of Progress Chef’s Chef360 enables unauthenticated access to internal message queues. These queues carry tenant‑specific identifiers, meaning an attacker can read sensitive data without proper authorization. The flaw is a form of hardcoded credential misuse (CWE‑523) that allows data disclosure and potential escalation of privileges within the system’s messaging layer.

Affected Systems

The vulnerability affects Progress Chef:Chef360 versions prior to 1.7.0. The fix is included in 1.7.1 and later releases, where the credential has been rotated and per‑tenant access controls are enforced.

Risk and Exploitability

The CVSS score of 2.3 reflects a low to moderate severity with minimal impact on system integrity. Because the credential is static and publicly documented, an attacker who can reach the message queue interface can authenticate automatically, though no EPSS data is available and the issue is not listed in CISA’s KEV catalog. The likely attack vector involves remote connection to the internal queue service using the hardcoded credentials, enabling unauthorized read of tenant identifiers and related messages.

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Remediation

Vendor Solution

Fixed in 1.7.1

Vendor Workaround

Remove content from bundled tools; change password

OpenCVE Recommended Actions

  • Upgrade Chef360 to version 1.7.1 or later to eliminate the hardcoded credential
  • If an upgrade is not immediately feasible, remove the bundled content that contains the hardcoded credential and change any default passwords to unique values
  • Limit exposure of the message queue interface by applying network segmentation or firewall rules to restrict access to trusted hosts only

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://docs.chef.io/release_notes/360/ cve-icon
History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues.  Queue messages contained tenant-specific identifiers.  The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.
Title Hardcoded credentials in embedded content
Weaknesses CWE-523
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L/E:P/S:N/AU:Y/RE:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-06-18T21:19:18.848Z

Reserved: 2026-05-15T09:51:14.946Z

Link: CVE-2026-8668

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:30:17Z

Weaknesses
  • CWE-523

    Unprotected Transport of Credentials