PT-2026-49248 — Pypi Vantage6

PT-2026-49248 · Pypi · Vantage6

Published

2026-06-05

Updated

2026-06-05

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Impact

Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons:

Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights
The initial password is very weak and it is possible that administrators forget to reset it.

Patches

Workarounds

It is possible to delete the root user after it has been used to create other users

References

We could consider doing this like [mongodb](https://hub.docker.com/ /mongo)

Additional info

Luis uses the following patch to mitigate it:

diff

diff --git a/vantage6-server/vantage6/server/ init .py b/vantage6-server/vantage6/server/ init .py
index ea362c1e..c6dcbbd9 100644
--- a/vantage6-server/vantage6/server/ init .py
+++ b/vantage6-server/vantage6/server/ init .py
@@ -618,18 +618,30 @@ class ServerApp:
       # TODO use constant instead of 'Root' literal
       root = db.Role.get by name("Root")
 
-      log.warn(
-        f"Creating root user: "
-        f"username={SUPER USER INFO['username']}, "
-        f"password={SUPER USER INFO['password']}"
-      )
+      # Temporary patch
+      # read initial root password from file (docker secret) if provided
+      # TODO: This is a workaround so we don't have an insecure vserver
+      #    at the start. Ideally, we would provide an already hashed
+      #    password. But as hashing is implemented via @validates on
+      #    the field 'password', there isn't a nice way around this.
+      if os.environ.get("V6 INITIAL ROOT PASSWORD FILE"):
+        with open(
+          os.environ.get("V6 INITIAL ROOT PASSWORD FILE")
+        ) as password file:
+          initial root password = password file.read().strip()
+        log.info(
+          f"Creating root user with password provided via V6 INITIAL ROOT PASSWORD FILE"
+        )
+      else:
+        initial root password = SUPER USER INFO["password"]
+        log.warn(f"Creating root user with default credentials!")
 
       user = db.User(
         username=SUPER USER INFO["username"],
         roles=[root],
         organization=org,
         email="root@domain.ext",
-        password=SUPER USER INFO["password"],
+        password=initial root password,
         failed login attempts=0,
         last login attempt=None,
       )

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1393CWE-204

Related Identifiers

GHSA-FGMC-2HQJ-86V4

Affected Products

Vantage6