CVE-2026-58466 PUBLISHED

AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user()

Assigner: VulnCheck
Reserved: 30.06.2026 Published: 02.07.2026 Updated: 02.07.2026

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor EstrellaXD
Product Auto_Bangumi
Versions Default: unaffected
  • affected from 0 to 3.2.8 (excl.)

Credits

  • George Chen finder

References

Problem Types

  • Use of Default Credentials CWE