CVE-2026-54445
Received Received - Intake
Default Root Credentials in vantage6 Infrastructure

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the `root` user after it has been used to create other users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-54445
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vantage6 vantage6 to 5.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
CWE-1393 The product uses default passwords for potentially critical functionality.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in vantage6 versions prior to 5.0.0 is that the initial user account is created with the username 'root' and a default password 'root'. This is problematic because attackers are aware that vantage6 servers typically have this 'root' user with likely administrative privileges, and the default password is very weak. Additionally, administrators may forget to change or delete this default account, leaving the system exposed.

Impact Analysis

This vulnerability can allow attackers to gain unauthorized administrative access to the vantage6 server by using the default 'root' username and password. Such access can lead to unauthorized control over the system, potentially compromising data privacy and integrity.

Detection Guidance

This vulnerability can be detected by checking if the vantage6 server has a user with the username 'root' that still uses the default password 'root'. Since the initial user is created with these credentials, verifying their presence and password status is key.

However, no specific commands or detection tools are provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, immediately reset the password for the 'root' user to a strong, unique password.

Alternatively, after creating other users with appropriate privileges, delete the 'root' user to prevent attackers from exploiting the default credentials.

Upgrading vantage6 to version 5.0.0 or later also fixes this issue.

Compliance Impact

The vulnerability involves an initial user with a default username and weak password, which can lead to unauthorized access if the password is not changed. This weak authentication mechanism could potentially result in unauthorized data access or control over the system.

Such unauthorized access risks may impact compliance with standards and regulations like GDPR and HIPAA, which require adequate protection of personal and sensitive data through strong access controls and authentication mechanisms.

Therefore, failure to change the default credentials could lead to non-compliance with these regulations due to insufficient security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54445. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart