CVE-2026-9142
Analyzed Analyzed - Analysis Complete

Insecure Default Credentials in NI grpc-device

Vulnerability report for CVE-2026-9142, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-25

Assigner: National Instruments

Description

There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback.Β  This may allow an unauthenticated user access to the server on the local network.Β  This affects NI grpc-device 2.17.0 and prior versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-25
Generated
2026-07-10
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
ni instrumentstudio to 2025 (inc)
ni instrumentstudio 2026
ni instrumentstudio 2026
ni ni_grpc_device_server to 2.18.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-9142 vulnerability affects NI grpc-device versions 2.17.0 and earlier. It involves insecure default credentials that exist when TLS configuration is missing and the server is bound beyond the loopback interface. This means that if the server is accessible on the local network without proper TLS security, an unauthenticated user can gain access to the server without needing any privileges or user interaction.

This vulnerability is classified under CWE-306, which refers to missing authentication for critical functions.

Impact Analysis

This vulnerability can have a critical impact by allowing unauthenticated users on the local network to access the NI grpc-device server. Because no authentication is required, attackers can potentially compromise the confidentiality and integrity of the system.

The CVSS score of 9.1 indicates a high severity, meaning the vulnerability poses a serious risk to affected systems.

Mitigation Strategies

To mitigate the CVE-2026-9142 vulnerability, upgrade NI grpc-device to version 2.18.0 or later.

Ensure that TLS configuration is properly enabled and that the server is not bound beyond the loopback interface without secure authentication.

Compliance Impact

The vulnerability allows unauthenticated users on the local network to access the server without privileges or user interaction, impacting confidentiality and integrity of data.

Such unauthorized access could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart