CVE-2026-8668: CWE-523 Unprotected transport of credentials in Progress Chef Chef360
CVE-2026-8668 is a vulnerability in Progress Chef's Chef360 product prior to version 1.7.0. It involves a static credential embedded in the software that allowed unauthenticated access to internal message queues containing tenant-specific identifiers. This credential has been rotated and replaced with per-tenant access controls in versions 1.7.0 and later, eliminating this access method.
AI Analysis
Technical Summary
The vulnerability CVE-2026-8668 in Progress Chef Chef360 prior to v1.7.0 involves the use of a static credential that permitted unauthenticated access to internal message queues. These queues contained tenant-specific identifiers, potentially exposing sensitive information. The static credential was rotated and replaced with per-tenant access controls in subsequent versions, removing the vulnerability. The CVSS 4.0 base score is 2.3, indicating a low severity issue with network attack vector, high attack complexity, and limited impact on confidentiality, integrity, and availability.
Potential Impact
The vulnerability allowed unauthenticated access to internal message queues via a static credential, exposing tenant-specific identifiers. However, the impact is limited as the CVSS score is low (2.3), indicating low confidentiality, integrity, and availability impact. There are no known exploits in the wild. The exposure is mitigated in versions 1.7.0 and later by rotating the credential and implementing per-tenant access controls.
Mitigation Recommendations
Upgrade to Chef360 version 1.7.0 or later, where the static credential has been rotated and replaced with per-tenant access controls, eliminating this vulnerability. No other remediation level or patch information is provided. Patch status is not explicitly confirmed beyond the version change; users should verify with vendor advisories for current remediation guidance.
CVE-2026-8668: CWE-523 Unprotected transport of credentials in Progress Chef Chef360
Description
CVE-2026-8668 is a vulnerability in Progress Chef's Chef360 product prior to version 1.7.0. It involves a static credential embedded in the software that allowed unauthenticated access to internal message queues containing tenant-specific identifiers. This credential has been rotated and replaced with per-tenant access controls in versions 1.7.0 and later, eliminating this access method.
CVSS v4.0
Score 2.3low
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-8668 in Progress Chef Chef360 prior to v1.7.0 involves the use of a static credential that permitted unauthenticated access to internal message queues. These queues contained tenant-specific identifiers, potentially exposing sensitive information. The static credential was rotated and replaced with per-tenant access controls in subsequent versions, removing the vulnerability. The CVSS 4.0 base score is 2.3, indicating a low severity issue with network attack vector, high attack complexity, and limited impact on confidentiality, integrity, and availability.
Potential Impact
The vulnerability allowed unauthenticated access to internal message queues via a static credential, exposing tenant-specific identifiers. However, the impact is limited as the CVSS score is low (2.3), indicating low confidentiality, integrity, and availability impact. There are no known exploits in the wild. The exposure is mitigated in versions 1.7.0 and later by rotating the credential and implementing per-tenant access controls.
Mitigation Recommendations
Upgrade to Chef360 version 1.7.0 or later, where the static credential has been rotated and replaced with per-tenant access controls, eliminating this vulnerability. No other remediation level or patch information is provided. Patch status is not explicitly confirmed beyond the version change; users should verify with vendor advisories for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ProgressSoftware
- Date Reserved
- 2026-05-15T09:51:14.946Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a346bc9f198dc38c1a1cda4
Added to database: 6/18/2026, 10:06:01 PM
Last enriched: 6/18/2026, 10:20:26 PM
Last updated: 6/19/2026, 1:38:43 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.