PYSEC-2026-3400

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/vantage6/PYSEC-2026-3400.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3400
Aliases
Published
2026-07-13T15:46:15.015504Z
Modified
2026-07-13T16:33:32.067229507Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vantage6: Set admin user and password from environment or configuration
Details

Impact

Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights - The initial password is very weak and it is possible that administrators forget to reset it.

Patches

No

Workarounds

It is possible to delete the root user after it has been used to create other users

References

We could consider doing this like mongodb

Additional info

Luis uses the following patch to mitigate it:

diff --git a/vantage6-server/vantage6/server/__init__.py b/vantage6-server/vantage6/server/__init__.py
index ea362c1e..c6dcbbd9 100644
--- a/vantage6-server/vantage6/server/__init__.py
+++ b/vantage6-server/vantage6/server/__init__.py
@@ -618,18 +618,30 @@ class ServerApp:
             # TODO use constant instead of 'Root' literal
             root = db.Role.get_by_name("Root")

-            log.warn(
-                f"Creating root user: "
-                f"username={SUPER_USER_INFO['username']}, "
-                f"password={SUPER_USER_INFO['password']}"
-            )
+            # Temporary patch
+            # read initial root password from file (docker secret) if provided
+            # TODO: This is a workaround so we don't have an insecure vserver
+            #       at the start. Ideally, we would provide an already hashed
+            #       password. But as hashing is implemented via @validates on
+            #       the field 'password', there isn't a nice way around this.
+            if os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE"):
+                with open(
+                    os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE")
+                ) as password_file:
+                    initial_root_password = password_file.read().strip()
+                log.info(
+                    f"Creating root user with password provided via V6_INITIAL_ROOT_PASSWORD_FILE"
+                )
+            else:
+                initial_root_password = SUPER_USER_INFO["password"]
+                log.warn(f"Creating root user with default credentials!")

             user = db.User(
                 username=SUPER_USER_INFO["username"],
                 roles=[root],
                 organization=org,
                 email="root@domain.ext",
-                password=SUPER_USER_INFO["password"],
+                password=initial_root_password,
                 failed_login_attempts=0,
                 last_login_attempt=None,
             )
References

Affected packages

PyPI / vantage6

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0

Affected versions

0.*
0.0.0b0
0.0.0b1
0.0.0b3
0.0.0
1.*
1.0.0a1
1.0.0a2
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0b5
1.0.0b6
1.0.0b7
1.0.0b8
1.0.0b9
1.0.0b10
1.0.0b11
1.0.0b12
1.0.0b13
1.0.0b14
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.3.post2
2.*
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0
2.0.0.post1
2.0.1rc1
2.0.1rc2
2.1.0rc1
2.1.0
2.1.1
2.2.0b1
2.2.0b2
2.2.0b3
2.2.0b4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.3.0rc1
2.3.0rc2
2.3.0rc3
2.3.0rc4
2.3.0rc5
2.3.0
2.3.1
2.3.2rc1
2.3.2
2.3.3
2.3.4
2.3.5b1
2.3.5
3.*
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b5
3.0.0b6
3.0.0b7
3.0.0b8
3.0.0rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0rc1
3.1.0rc5
3.1.0rc6
3.1.0rc7
3.1.0rc8
3.1.0rc9
3.1.0
3.1.1rc1
3.1.1rc2
3.2.0rc1
3.2.0rc2
3.2.0rc3
3.2.0rc4
3.2.0rc5
3.2.0
3.3.0a0
3.3.0rc1
3.3.0rc2
3.3.0rc3
3.3.0rc4
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7a2
3.3.7a3
3.3.7
3.3.8a1
3.3.8a2
3.3.8a4
3.3.8a5
3.3.8a6
3.3.8a7
3.3.8a8
3.4.0a1
3.4.0a2
3.4.0a3
3.4.0a6
3.4.0
3.4.1a0
3.4.1a1
3.4.1a2
3.4.1a3
3.4.1
3.4.2a0
3.4.2
3.4.3
3.5.0rc1
3.5.0rc2
3.5.0rc3
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1rc1
3.6.1rc2
3.6.1rc3
3.6.1
3.7.0rc1
3.7.0rc2
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0rc3
3.8.0
3.8.1
3.8.2rc1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7rc1
3.8.7
3.8.8rc1
3.8.8rc2
3.8.8rc3
3.8.8
3.9.0rc2
3.9.0rc4
3.9.0
3.10.0rc1
3.10.0
3.10.1
3.10.3
3.10.4
3.11.0rc1
3.11.0rc2
3.11.0rc3
3.11.0
3.11.1
4.*
4.0.0a2
4.0.0a3
4.0.0a4
4.0.0a5
4.0.0a6
4.0.0a7
4.0.0a8
4.0.0a9
4.0.0a10
4.0.0
4.0.1rc2
4.0.1
4.0.2
4.0.3
4.1.0b0
4.1.0b1
4.1.0rc0
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0rc1
4.2.0rc2
4.2.0
4.2.1
4.2.2
4.2.3
4.3.0b3
4.3.0b4
4.3.0b5
4.3.0b6
4.3.0rc1
4.3.0rc2
4.3.0
4.3.1
4.3.2rc2
4.3.2
4.3.4rc3
4.3.4
4.4.0rc3
4.4.0
4.4.1
4.5.0rc3
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.6.0rc3
4.6.0rc4
4.6.0rc5
4.6.0rc6
4.6.0rc7
4.6.0
4.6.1
4.7.0rc1
4.7.0rc2
4.7.0
4.7.1rc1
4.7.1
4.8.0rc1
4.8.0rc2
4.8.0rc3
4.8.0
4.8.1
4.8.2
4.9.0rc1
4.9.0
4.9.1
4.10.0rc1
4.10.0rc2
4.10.0rc3
4.10.0rc4
4.10.0
4.10.1rc1
4.10.1
4.10.2
4.11.0rc2
4.11.0rc3
4.11.0rc4
4.11.0
4.12.0rc2
4.12.0
4.12.1
4.12.2rc1
4.12.2
4.12.3rc1
4.13.0rc2
4.13.0rc3
4.13.0rc4
4.13.0
4.13.1
4.13.2rc1
4.13.2
4.13.3rc1
4.13.3rc2
4.13.3
4.13.4rc1
4.13.4
4.13.5
4.13.6rc3
4.13.6
4.13.7rc1
4.13.7
4.14.0rc1
4.14.0
4.15.0rc1
4.15.0rc2
4.15.0rc3
4.15.0rc4
4.15.0rc5
4.15.0
4.15.1rc1
4.15.1
5.*
5.0.0a0
5.0.0a7
5.0.0a9
5.0.0a14
5.0.0a15
5.0.0a16
5.0.0a17
5.0.0a18
5.0.0a19
5.0.0a20
5.0.0a21
5.0.0a22
5.0.0a26
5.0.0a29
5.0.0a33
5.0.0a34
5.0.0a35
5.0.0a36
5.0.0a37
5.0.0a38
5.0.0a40
5.0.0a41
5.0.0a42
5.0.0a43
5.0.0a44
5.0.0a47
5.0.0b1
5.0.0b2
5.0.0b4
5.0.0rc1
5.0.0rc2
5.0.0rc4
5.0.0rc5
5.0.0rc6
5.0.0rc7
5.0.0rc8
5.0.0rc9
5.0.0rc10
5.0.0rc91

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/vantage6/PYSEC-2026-3400.yaml"