GHSA-FGMC-2HQJ-86V4: Default Administrative Credentials in vantage6-server
Vulnerability ID: GHSA-FGMC-2HQJ-86V4
CVSS Score: 6.9
Published: 2026-06-05
A vulnerability in the vantage6 federated learning framework allows unauthenticated remote attackers to gain administrative control of the server via hardcoded default credentials (root/root) when deployed under default configurations in versions 4.2.3 and below.
TL;DR
Vantage6 servers <= 4.2.3 ship with default administrative credentials (root/root). If administrators do not rotate these credentials, or if they delete the root user causing a boot loop crash, unauthenticated remote attackers can compromise the server.
Technical Details
- CWE ID: CWE-1393
- Attack Vector: Network
- CVSS v4.0: 6.9 (Medium)
- Exploit Status: PoC / Workaround Disclosed
- Impact: Full Administrative Compromise
Affected Systems
- vantage6-server
Mitigation Strategies
- Upgrade to vantage6 version 5.0.0 or higher
- Use V6_INITIAL_ROOT_PASSWORD_FILE environment variable to inject strong, unique credentials
- Disable or rotate default accounts immediately post-boot
Remediation Steps:
- Identify unpatched installations of vantage6-server running version 4.2.3 or lower.
- Generate a strong, random password and store it securely on the host system or as a container secret.
- Define the environment variable V6_INITIAL_ROOT_PASSWORD_FILE pointing to the path of the password file.
- Restart the server and inspect the logs to verify that the message 'Creating root user with default credentials' is not present.
- Plan an upgrade path to version 5.0.0+ where the hardcoded fallback mechanism is completely deprecated.
References
- GHSA-FGMC-2HQJ-86V4 Advisory
- Vantage6 Security Advisory
- Vantage6 Issue 1932
- Vantage6 Issue 2005
- Vantage6 Issue 2466
Read the full report for GHSA-FGMC-2HQJ-86V4 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)