How is CVE-2026-9142 exploited?

Network reachability (required): The attacker must reach the gRPC device server over the network; the vulnerability is only exposed when the server is bound to an interface beyond loopback, making it reachable on the local network. Authentication (not-required): No credentials are required; the server accepts connections without any authentication when TLS configuration is absent. Victim interaction (not-required): No victim interaction is needed; the attacker contacts the server directly without requiring any action from a user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental setup beyond network access to the server.

What is the impact of CVE-2026-9142?

An attacker reads data served by the gRPC device server, which may include instrument readings, device state, and configuration parameters. An attacker writes arbitrary data to the server, allowing manipulation of connected instrument or device behavior. Because confidentiality and integrity of the vulnerable component are both fully compromised, an attacker can combine read and write access to persistently alter device configuration or exfiltrate collected measurement data.

Back to search

CRITICALCVE-2026-9142Published 2026-06-19Modified 2026-06-19CNA NI

CVE-2026-9142: Insecure Default Credentials vulnerability in NI grpc-device when TLS configuration is not present

There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback. This may allow an unauthenticated user access to the server on the local network. This affects NI grpc-device 2.17.0 and prior versions.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

An insecure default credentials vulnerability affects NI grpc-device version 2.17.0 and earlier, as well as NI InstrumentStudio version 26.3.0 and earlier. When TLS configuration is absent and the server is bound to a network interface beyond loopback, the gRPC device server accepts connections without requiring any credentials, exposing it to unauthenticated access on the local network. Successful exploitation allows an attacker to read sensitive data from and write arbitrary data to the server. No fix versions have been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-9142 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle NI grpc-device or InstrumentStudio.

Available

Triage

Triage is available using the CVSS v4.0 score of 9.3 (Critical), weighted further by each customer organization's compliance policy configuration; findings are routed automatically to the appropriate team inbox within the customer org based on image ownership and policy rules.

Available

Patch

Because no upstream fix version exists for CVE-2026-9142, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment NI publishes a corrected release. In the meantime, compensating controls such as network-policy isolation for affected workloads are surfaced in the remediation guidance panel for each affected image.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the gRPC device server over the network; the vulnerability is only exposed when the server is bound to an interface beyond loopback, making it reachable on the local network.
AuthenticationNot required
No credentials are required; the server accepts connections without any authentication when TLS configuration is absent.
Victim interactionNot required
No victim interaction is needed; the attacker contacts the server directly without requiring any action from a user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental setup beyond network access to the server.

Blast Radius

An attacker reads data served by the gRPC device server, which may include instrument readings, device state, and configuration parameters.
An attacker writes arbitrary data to the server, allowing manipulation of connected instrument or device behavior.
Because confidentiality and integrity of the vulnerable component are both fully compromised, an attacker can combine read and write access to persistently alter device configuration or exfiltrate collected measurement data.

How HarborGuard Handles This

Available on HarborGuard: because NI has not yet published a fix for CVE-2026-9142, HarborGuard monitors the NI advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment a fix version is released upstream. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While no upstream patch exists, the remediation guidance panel for each affected image surfaces compensating controls including network-policy isolation (restricting pod-to-pod or host-to-host reachability to the gRPC device port), egress filtering to limit which workloads can reach the server, and a configuration check flag to verify whether TLS is enabled at deploy time. Customers who want to be notified the instant a fix is published can subscribe to advisory-watch alerts for this CVE from the image detail view.

See how HarborGuard automates this

Affected packages

NI / grpc-device
≤ 2.17.0
NI / InstrumentStudio
≤ 26.3.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified