Perforce Helix Core Server (P4D) prior to version 2026.1 is affected by a vulnerability (CVE-2026-6043) due to insecure default initialization settings (CWE-1188). These insecure defaults expose the server to unauthenticated remote attackers who can create arbitrary user accounts, enumerate users, authenticate to accounts without passwords, and access depot contents via the built-in 'remote' user. This can result in unauthorized access to source code and other managed assets. The vendor plans to release version 2026.1 in May 2026, which will enforce secure-by-default configurations to mitigate this issue. No current patch or official fix is documented, and the product is not a cloud service, so remediation depends on upgrading to the fixed version.

The vulnerability allows unauthenticated attackers to gain unauthorized access to Perforce Helix Core Server resources by exploiting insecure default settings. Attackers can create arbitrary user accounts, enumerate existing users, authenticate to accounts without passwords, and access depot contents through the built-in 'remote' user. This compromises the confidentiality and integrity of source code repositories and other managed assets. The CVSS 4.0 score of 8.8 reflects a high impact due to network attack vector, no required privileges, and no user interaction needed.

As of the published information, no official patch or remediation is available except upgrading to Perforce Helix Core Server version 2026.1, expected in May 2026, which enforces secure-by-default configurations. Users should plan to upgrade to this version once released. Until then, restricting network exposure of affected servers and applying network-level access controls to limit untrusted network access may reduce risk. Patch status is not yet confirmed beyond the upcoming release—check the vendor advisory for current remediation guidance.