SYS::ONLINE
Wasteland.
Briefs1090
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-58466 2026-07-02

CVE-2026-58466: Hard-Coded Default Admin Credentials in AutoBangumi

"A critical hard-coded default credentials flaw in AutoBangumi before version 3.2.8 lets unauthenticated attackers log in as the administrator and seize full control of the application."

A critical hard-coded default credentials flaw in AutoBangumi before version 3.2.8 lets unauthenticated attackers log in as the administrator and seize full control of the application.

What Is It

CVE-2026-58466 is a hard-coded default credentials vulnerability (CWE-1392) in AutoBangumi, the anime RSS automation tool from EstrellaXD. At startup, the add_default_user() function in the database user module seeds a publicly known default credential set whenever the users table is empty. Because these credentials are publicly known, an unauthenticated attacker can submit them to the authentication login endpoint and authenticate as the administrator. The issue carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a network attack vector, low complexity, and no privileges or user interaction required.

Why It Matters

Successful exploitation grants an attacker full control of the application. Per the source material, that includes RSS feed configuration, downloader configuration, and all authenticated API endpoints. The CVSS vector rates confidentiality, integrity, and availability impact all as HIGH, and the CVSS 4.0 secondary metric scores it 9.3 (CRITICAL). With the attack requiring only network access and publicly known credentials, the barrier to abuse is effectively nonexistent for any exposed instance.

What's Vulnerable

Patch Status

The vulnerability is fixed in AutoBangumi 3.2.8. Users should upgrade to release 3.2.8 or later, which addresses the flaw via commit 487bdfec545e805ae416e6ddf28651bd274d6a73. No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed by KEV at this time.

Sources