CWE-798 1737 個 CVE MITRE 定義 ↗

CWE-798:Use of Hard-coded Credentials

概覽

CWE-798(Use of Hard-coded Credentials)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product contains hard-coded credentials, such as a password or cryptographic key.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Mobile Undetermined
technology ICS/OT Often

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-49352 2026-07-15 9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js, …
CVE-2026-61740 2026-07-15 LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG_API_KEY set but AUTH_ACCOUNTS unset, X-API-Key protection can be bypassed beca…
CVE-2026-61684 2026-07-15 FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/* authenticate only by verifying a JWT signed with INVOKE_TOKEN_SE…
CVE-2026-37270 2026-07-07 Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.
CVE-2026-57172 2026-07-07 DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordle…
CVE-2026-14807 2026-07-06 ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and passwo…
CVE-2026-13768 2026-07-02 Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Hom…
CVE-2026-13728 2026-07-02 In exception circumstances, WatchGuard Fireware OS on a FireCluster may use a hard-coded encryption key to encrypt saved credentials for Access Portal resources. This vulnerability affects Fireware O…
CVE-2026-7839 2026-07-01 UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeate…
CVE-2026-56278 2026-06-30 Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is …
CVE-2026-50110 2026-06-30 Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding…
CVE-2026-31928 2026-06-26 The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using thes…
CVE-2026-46386 2026-06-26 OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. …
CVE-2026-56269 2026-06-24 Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/u…
CVE-2026-12628 2026-06-22 IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardc…
CVE-2026-11746 2026-06-21 A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to …
CVE-2026-56265 2026-06-21 Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentica…
CVE-2026-47847 2026-06-18 Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential vulnerability in the Galera replication health-check user. The MARIADB_REPLICATION_USER and MARIAD…
CVE-2026-47846 2026-06-18 Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the contai…
CVE-2025-10560 2026-06-18 Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S…

內容提交

名稱
CWE Content Team
組織
MITRE
日期
2010-01-15
版本
1.8
評論
More abstract entry for hard-coded password and hard-coded cryptographic key.

內容修訂

日期 名稱 版本 重要性 評論
2010-04-05 CWE Content Team 1.8.1 updated Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, References
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations
2010-12-13 CWE Content Team 1.11 updated Description
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27 CWE Content Team 2.0 updated Observed_Examples, Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, Relationships
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
2012-10-30 CWE Content Team 2.3 updated Demonstrative_Examples, Potential_Mitigations
2013-02-21 CWE Content Team 2.4 updated Applicable_Platforms, References
2014-07-30 CWE Content Team 2.8 updated Demonstrative_Examples, Detection_Factors
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-01-19 CWE Content Team 2.10 updated Related_Attack_Patterns
2017-11-08 CWE Content Team 3.0 updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
2018-03-27 CWE Content Team 3.1 updated References
2019-01-03 CWE Content Team 3.2 updated References, Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Relationships
2019-09-19 CWE Content Team 3.4 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-03-15 CWE Content Team 4.4 updated Demonstrative_Examples
2021-07-20 CWE Content Team 4.5 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
2023-01-31 CWE Content Team 4.10 updated Description, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Taxonomy_Mappings
2023-04-27 CWE Content Team 4.11 updated References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2024-02-29 CWE Content Team 4.14 updated Observed_Examples
2024-07-16 CWE Content Team 4.15 updated Common_Consequences, Description, Diagram
2024-11-19 CWE Content Team 4.16 updated Relationships
2025-09-09 CWE Content Team 4.18 updated Detection_Factors, References
2025-12-11 CWE Content Team 4.19 updated Maintenance_Notes, Mapping_Notes, Observed_Examples, Relationships

貢獻

類型 名稱 日期 評論
Content "Mapping CWE to 62443" Sub-Working Group 2023-01-24 Suggested mappings to ISA/IEC 62443.
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence