PT-2026-34875 · Perforce · P4 Server
Published
2026-04-24
·
Updated
2026-04-25
·
CVE-2026-6043
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
P4 Server versions prior to 2026.1
Description
Insecure default settings allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts without passwords, and access depot contents using the built-in 'remote' user when the system is exposed to untrusted networks. These configurations can result in unauthorized access to managed assets and source code repositories.
Recommendations
Update to version 2026.1 to enforce secure-by-default configurations.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
P4 Server