CWE-798
Use of Hard-coded Credentials
Description
The product contains hard-coded credentials, such as a password or cryptographic key.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-191 · CAPEC-70
CVEs mapped to this weakness (556)
page 27 of 28| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-54947 | 0.00 | — | 0.00 | Dec 12, 2025 | In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key.… | |||
| CVE-2024-9594 | — | 0.00 | — | 0.02 | Oct 15, 2024 | A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are… | ||
| CVE-2024-9486 | — | 0.00 | — | 0.02 | Oct 15, 2024 | A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the… | ||
| CVE-2023-27584 | 0.00 | — | 0.34 | Sep 19, 2024 | Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded,… | |||
| CVE-2024-36264 | 0.00 | — | 0.01 | Jun 12, 2024 | ** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this… | |||
| CVE-2024-23687 | 0.00 | — | 0.01 | Jan 19, 2024 | Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines. | |||
| CVE-2024-23685 | 0.00 | — | 0.01 | Jan 19, 2024 | Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types. | |||
| CVE-2023-46943 | — | 0.00 | — | 0.01 | Jan 13, 2024 | An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs),… | ||
| CVE-2023-50974 | — | 0.00 | — | 0.00 | Jan 9, 2024 | In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials. | ||
| CVE-2023-31579 | 0.00 | — | 0.01 | Nov 2, 2023 | Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token. | |||
| CVE-2023-31581 | — | 0.00 | — | 0.01 | Oct 24, 2023 | Dromara Sureness before v1.0.8 was discovered to use a hardcoded key. | ||
| CVE-2023-5318 | 0.00 | — | 0.01 | Sep 30, 2023 | Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. | |||
| CVE-2023-43637 | — | 0.00 | — | 0.00 | Sep 21, 2023 | Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return… | ||
| CVE-2023-2138 | 0.00 | — | 0.01 | Apr 18, 2023 | Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. | |||
| CVE-2023-1269 | — | 0.00 | — | 0.01 | Mar 8, 2023 | Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2023-25823 | 0.00 | — | 0.01 | Feb 23, 2023 | Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private… | |||
| CVE-2023-22463 | — | 0.00 | — | 0.70 | Jan 4, 2023 | KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online… | ||
| CVE-2022-39273 | 0.00 | — | 0.01 | Oct 6, 2022 | FlyteAdmin is the control plane for the data processing platform Flyte. Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet. In an effort to make enabling authentication easier for Flyte… | |||
| CVE-2022-35540 | — | 0.00 | — | 0.01 | Aug 18, 2022 | Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access. | ||
| CVE-2022-23942 | — | 0.00 | — | 0.03 | Apr 26, 2022 | Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. |
- CVE-2025-54947Dec 12, 2025risk 0.00cvss —epss 0.00
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key.…
- CVE-2024-9594Oct 15, 2024risk 0.00cvss —epss 0.02
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are…
- CVE-2024-9486Oct 15, 2024risk 0.00cvss —epss 0.02
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the…
- CVE-2023-27584Sep 19, 2024risk 0.00cvss —epss 0.34
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded,…
- CVE-2024-36264Jun 12, 2024risk 0.00cvss —epss 0.01
** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this…
- CVE-2024-23687Jan 19, 2024risk 0.00cvss —epss 0.01
Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.
- CVE-2024-23685Jan 19, 2024risk 0.00cvss —epss 0.01
Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types.
- CVE-2023-46943Jan 13, 2024risk 0.00cvss —epss 0.01
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs),…
- CVE-2023-50974Jan 9, 2024risk 0.00cvss —epss 0.00
In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials.
- CVE-2023-31579Nov 2, 2023risk 0.00cvss —epss 0.01
Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token.
- CVE-2023-31581Oct 24, 2023risk 0.00cvss —epss 0.01
Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.
- CVE-2023-5318Sep 30, 2023risk 0.00cvss —epss 0.01
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.
- CVE-2023-43637Sep 21, 2023risk 0.00cvss —epss 0.00
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return…
- CVE-2023-2138Apr 18, 2023risk 0.00cvss —epss 0.01
Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2.
- CVE-2023-1269Mar 8, 2023risk 0.00cvss —epss 0.01
Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2023-25823Feb 23, 2023risk 0.00cvss —epss 0.01
Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private…
- CVE-2023-22463Jan 4, 2023risk 0.00cvss —epss 0.70
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online…
- CVE-2022-39273Oct 6, 2022risk 0.00cvss —epss 0.01
FlyteAdmin is the control plane for the data processing platform Flyte. Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet. In an effort to make enabling authentication easier for Flyte…
- CVE-2022-35540Aug 18, 2022risk 0.00cvss —epss 0.01
Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access.
- CVE-2022-23942Apr 26, 2022risk 0.00cvss —epss 0.03
Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.