Description
A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues.  Queue messages contained tenant-specific identifiers.  The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.
Published: 2026-06-18
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A static credential embedded in earlier versions of Progress Chef’s Chef360 enables unauthenticated access to internal message queues. These queues carry tenant‑specific identifiers, meaning an attacker can read sensitive data without proper authorization. The flaw is a form of hardcoded credential misuse (CWE‑523) that allows data disclosure and potential escalation of privileges within the system’s messaging layer.

Affected Systems

The vulnerability affects Progress Chef:Chef360 versions prior to 1.7.0. The fix is included in 1.7.1 and later releases, where the credential has been rotated and per‑tenant access controls are enforced.

Risk and Exploitability

The CVSS score of 2.3 reflects a low to moderate severity with minimal impact on system integrity. Because the credential is static and publicly documented, an attacker who can reach the message queue interface can authenticate automatically, though no EPSS data is available and the issue is not listed in CISA’s KEV catalog. The likely attack vector involves remote connection to the internal queue service using the hardcoded credentials, enabling unauthorized read of tenant identifiers and related messages.

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Remediation

Vendor Solution

Fixed in 1.7.1


Vendor Workaround

Remove content from bundled tools; change password


OpenCVE Recommended Actions

  • Upgrade Chef360 to version 1.7.1 or later to eliminate the hardcoded credential
  • If an upgrade is not immediately feasible, remove the bundled content that contains the hardcoded credential and change any default passwords to unique values
  • Limit exposure of the message queue interface by applying network segmentation or firewall rules to restrict access to trusted hosts only

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress chef360
Vendors & Products Progress
Progress chef360

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues.  Queue messages contained tenant-specific identifiers.  The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.
Title Hardcoded credentials in embedded content
Weaknesses CWE-523
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L/E:P/S:N/AU:Y/RE:L'}


Subscriptions

Progress Chef360
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-06-22T18:23:03.280Z

Reserved: 2026-05-15T09:51:14.946Z

Link: CVE-2026-8668

cve-icon Vulnrichment

Updated: 2026-06-22T18:22:59.066Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:55:38Z

Weaknesses
  • CWE-523

    Unprotected Transport of Credentials