CVE-2026-58466

EstrellaXD · Auto_Bangumi

Auto_Bangumi contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to gain administrative access.

Executive summary

Auto_Bangumi is susceptible to an authentication bypass via hard-coded default credentials, enabling unauthorized administrative access to the application.

Vulnerability

The application seeds default credentials during initial startup when the user table is empty. An unauthenticated attacker can leverage these known credentials to authenticate as an administrator and gain full control over the application.

Business impact

A CVSS score of 9.8 reflects the critical nature of this flaw, as it permits full administrative takeover of the application. This could result in the unauthorized modification of downloader configurations, interception of RSS feeds, and exposure of sensitive API endpoints, potentially leading to a complete compromise of the automated media management workflow.

Remediation

Immediate Action: Update the application to version 3.2.8 or later, which addresses the insecure default user creation process.

Proactive Monitoring: Review system logs for multiple failed or anomalous login attempts and verify the list of authorized users within the application’s administrative interface.

Compensating Controls: Ensure the instance is not exposed to the public internet and require access via a secure VPN or an authenticated reverse proxy to limit the attack surface.

Exploitation status

Public Exploit Available: False

Analyst recommendation

The presence of hard-coded credentials represents a significant security oversight that facilitates immediate unauthorized access. Administrators must update the software and verify that no unauthorized user accounts were created during the period the application was exposed. Access control policies should be strictly enforced to prevent unauthorized actors from reaching the login endpoint.