CVE-2026-6043: CWE-1188 Initialization of a resource with an insecure default in Perforce Helix Core Server (P4D)
P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations
AI Analysis
Technical Summary
Perforce Helix Core Server (P4D) versions before 2026.1 have insecure default configurations that expose the server to unauthenticated remote attacks. Attackers can create arbitrary user accounts, enumerate existing users, authenticate to accounts lacking passwords, and access depot contents through the built-in 'remote' user. These vulnerabilities stem from initialization of resources with insecure defaults (CWE-1188). The 2026.1 release will address these issues by enforcing secure-by-default settings on upgrades and new installations.
Potential Impact
The vulnerability allows unauthenticated remote attackers to gain unauthorized access to source code repositories and managed assets by creating user accounts, enumerating users, and authenticating without passwords. This compromises confidentiality and integrity of the repository contents. The CVSS 4.0 score is 8.8 (high severity), reflecting the network attack vector, no required privileges or user interaction, and high impact on confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor plans to release version 2026.1 in May 2026, which will enforce secure-by-default configurations on upgrade and new installations. Until then, administrators should consider restricting network exposure of the server and manually hardening configurations to prevent unauthorized access.
CVE-2026-6043: CWE-1188 Initialization of a resource with an insecure default in Perforce Helix Core Server (P4D)
Description
P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Perforce Helix Core Server (P4D) versions before 2026.1 have insecure default configurations that expose the server to unauthenticated remote attacks. Attackers can create arbitrary user accounts, enumerate existing users, authenticate to accounts lacking passwords, and access depot contents through the built-in 'remote' user. These vulnerabilities stem from initialization of resources with insecure defaults (CWE-1188). The 2026.1 release will address these issues by enforcing secure-by-default settings on upgrades and new installations.
Potential Impact
The vulnerability allows unauthenticated remote attackers to gain unauthorized access to source code repositories and managed assets by creating user accounts, enumerating users, and authenticating without passwords. This compromises confidentiality and integrity of the repository contents. The CVSS 4.0 score is 8.8 (high severity), reflecting the network attack vector, no required privileges or user interaction, and high impact on confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor plans to release version 2026.1 in May 2026, which will enforce secure-by-default configurations on upgrade and new installations. Until then, administrators should consider restricting network exposure of the server and manually hardening configurations to prevent unauthorized access.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Perforce
- Date Reserved
- 2026-04-09T17:45:51.571Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eb592887115cfb682aba36
Added to database: 4/24/2026, 11:51:04 AM
Last enriched: 4/24/2026, 12:06:01 PM
Last updated: 4/24/2026, 12:54:29 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.