CVE-2026-58466: AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user()
AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 3.2.8
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Hard-coded default credentials in AutoBangumi before version 3.2.8 allow an unauthenticated attacker to log in as administrator using publicly known credentials seeded at startup by the add_default_user() function when the users table is empty. The vulnerability is reachable over the network with no authentication required, and successful exploitation gives an attacker full administrative control of the application, including RSS feed configuration, downloader settings, and all authenticated API endpoints. A patched-image rebuild at version 3.2.8 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected AutoBangumi base layers.
AvailableHarborGuard scores this finding at CVSS 9.3 Critical (v4.0) and applies per-environment compliance policy weighting to determine urgency routing, directing alerts to the appropriate team inbox within each customer organization based on configured severity thresholds.
AvailableA patched-image rebuild at AutoBangumi 3.2.8 becomes available for any image where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the AutoBangumi authentication endpoint over the network; no local or physical access is required.
- AuthenticationNot required
No credentials are needed prior to exploitation; the attacker supplies the publicly known default credentials seeded by add_default_user() to authenticate as administrator.
- Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator of the affected instance.
- Attack complexityDetail
Attack complexity is low; the exploit is reliable and condition-free, requiring only submission of the known default credentials to the login endpoint.
Blast Radius
- Attacker gains full administrative access and reads all application configuration, including RSS feed sources and downloader credentials stored in the application.
- Attacker modifies RSS feed and downloader configuration, redirecting media acquisition or injecting malicious feed sources.
- Attacker calls any authenticated API endpoint, enabling arbitrary changes to application state and user management.
- Attacker can disrupt the service by altering or deleting configuration, causing the downloader and feed processing pipeline to fail.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-58466 is active across customer registries and pipelines the moment the advisory is ingested. Because this is rated Critical at CVSS 9.3, it is prioritized at the top of the triage queue in every environment where AutoBangumi images are present. A rebuild against the fixed upstream release 3.2.8 is available; for customers who have auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads (median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled). Where compliance policy does not permit automated remediation, the finding is surfaced as a prioritized alert with remediation guidance pointing to the 3.2.8 upgrade.
- EstrellaXD / Auto_Bangumi< 3.2.8 (from 0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N