CVE-2026-58466
EstrellaXD · Auto_Bangumi
Auto_Bangumi contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to gain administrative access.
Executive summary
Auto_Bangumi is susceptible to an authentication bypass via hard-coded default credentials, enabling unauthorized administrative access to the application.
Vulnerability
The application seeds default credentials during initial startup when the user table is empty. An unauthenticated attacker can leverage these known credentials to authenticate as an administrator and gain full control over the application.
Business impact
A CVSS score of 9.8 reflects the critical nature of this flaw, as it permits full administrative takeover of the application. This could result in the unauthorized modification of downloader configurations, interception of RSS feeds, and exposure of sensitive API endpoints, potentially leading to a complete compromise of the automated media management workflow.
Remediation
Immediate Action: Update the application to version 3.2.8 or later, which addresses the insecure default user creation process.
Proactive Monitoring: Review system logs for multiple failed or anomalous login attempts and verify the list of authorized users within the application’s administrative interface.
Compensating Controls: Ensure the instance is not exposed to the public internet and require access via a secure VPN or an authenticated reverse proxy to limit the attack surface.
Exploitation status
Public Exploit Available: False
Analyst recommendation
The presence of hard-coded credentials represents a significant security oversight that facilitates immediate unauthorized access. Administrators must update the software and verify that no unauthorized user accounts were created during the period the application was exposed. Access control policies should be strictly enforced to prevent unauthorized actors from reaching the login endpoint.