CVE-2025-67860 PUBLISHED

NeuVector scanner insecurely handles passwords as command arguments

Assigner: suse
Reserved: 12.12.2025 Published: 25.02.2026 Updated: 25.02.2026

A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CVSS Score: 3.8

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SUSE
Product	harvester
Versions	Default: unaffected affected from 4.0 to 4.072 (excl.)

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67860
https://github.com/harvester/harvester/security/advisories/GHSA-3c9m-gq32-g4jx

Problem Types

CWE-522: Insufficiently Protected Credentials CWE