CVE-2026-8668 PUBLISHED

Hardcoded credentials in embedded content

Assigner: ProgressSoftware
Reserved: 15.05.2026 Published: 18.06.2026 Updated: 18.06.2026

A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues. Queue messages contained tenant-specific identifiers. The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L/E:P/S:N/AU:Y/RE:L
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	High
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	None	Availability	Low	Availability	Low
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Progress Chef
Product	Chef360
Versions	Default: unaffected affected from 0 to 1.7.1 (excl.)

Workarounds

Remove content from bundled tools; change password

Solutions

Fixed in 1.7.1

References

https://docs.chef.io/release_notes/360/

Problem Types

CWE-523 Unprotected transport of credentials CWE

Impacts

CAPEC-21 Exploitation of Trusted Identifiers