Vantage6: Set admin user and password from environment or configuration
Description
Impact
Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights - The initial password is very weak and it is possible that administrators forget to reset it.
Patches
No
Workarounds
It is possible to delete the root user after it has been used to create other users
References
We could consider doing this like mongodb
Additional info
Luis uses the following patch to mitigate it: ``diff diff --git a/vantage6-server/vantage6/server/__init__.py b/vantage6-server/vantage6/server/__init__.py index ea362c1e..c6dcbbd9 100644 --- a/vantage6-server/vantage6/server/__init__.py +++ b/vantage6-server/vantage6/server/__init__.py @@ -618,18 +618,30 @@ class ServerApp: # TODO use constant instead of 'Root' literal root = db.Role.get_by_name("Root") - log.warn( - f"Creating root user: " - f"username={SUPER_USER_INFO['username']}, " - f"password={SUPER_USER_INFO['password']}" - ) + # Temporary patch + # read initial root password from file (docker secret) if provided + # TODO: This is a workaround so we don't have an insecure vserver + # at the start. Ideally, we would provide an already hashed + # password. But as hashing is implemented via @validates on + # the field 'password', there isn't a nice way around this. + if os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE"): + with open( + os.environ.get("V6_INITIAL_ROOT_PASSWORD_FILE") + ) as password_file: + initial_root_password = password_file.read().strip() + log.info( + f"Creating root user with password provided via V6_INITIAL_ROOT_PASSWORD_FILE" + ) + else: + initial_root_password = SUPER_USER_INFO["password"] + log.warn(f"Creating root user with default credentials!") user = db.User( username=SUPER_USER_INFO["username"], roles=[root], organization=org, email="root@domain.ext", - password=SUPER_USER_INFO["password"], + password=initial_root_password, failed_login_attempts=0, last_login_attempt=None, ) ``
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Hardcoded default administrative credentials (username `root`, password `root`) in the server initialization code."
Attack vector
An attacker who knows that a Vantage6 server is running can attempt to log in with the well-known credentials `root`/`root`. Because the initial password is both weak and widely documented, the attacker can gain administrative access to the server without any additional authentication bypass. This is a classic hardcoded-credential weakness [CWE-798]. The attack requires only network access to the server's login interface.
Affected code
The vulnerability resides in `vantage6-server/vantage6/server/__init__.py` within the `ServerApp` class, where a superuser with username `root` and password `root` is created by default. The patch modifies the user-creation block to optionally read the initial root password from a file specified by the `V6_INITIAL_ROOT_PASSWORD_FILE` environment variable instead of always using the hardcoded default.
What the fix does
The patch introduces an optional environment variable `V6_INITIAL_ROOT_PASSWORD_FILE` that allows administrators to supply the initial root password via a Docker secret or file. If the variable is set, the password is read from that file; otherwise the code falls back to the hardcoded default and logs a warning. This change does not eliminate the default credential but gives operators a mechanism to override it, reducing the likelihood that a production server will retain the weak `root`/`root` credentials.
Preconditions
- networkNetwork access to the Vantage6 server's login endpoint
- configThe server must still be using the default root/root credentials (i.e., the administrator has not deleted the root user or changed the password)
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.