CVE-2026-26218

CriticalPublic PoC

Published: 12 February 2026

Published

12 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 42.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow…

unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly requires changing default authenticators prior to first use, preventing exploitation of predictable passwords on pre-seeded administrator accounts.

AC-2 Account Management good match

prevent

Mandates proper account provisioning, review, and disabling of unnecessary or inactive accounts, ensuring default admin accounts are removed or secured after database initialization.

CM-6 Configuration Settings partial match

prevent

Requires establishing and enforcing secure configuration settings that prohibit default credentials in application deployments, addressing the vulnerability in database schema initialization.

Security SummaryAI

CVE-2026-26218, published on 2026-02-12, is a critical vulnerability in the newbee-mall application, stemming from pre-seeded administrator accounts included in its database initialization script (CWE-798). These accounts are provisioned with predictable default passwords. Deployments that initialize or reset the database using the provided schema and fail to change these default administrative credentials are susceptible to exploitation. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability by attempting to log in with the known default credentials. Successful authentication grants full administrative control of the application, enabling attackers to perform arbitrary actions such as data manipulation, user management, or further system compromise.

Mitigation guidance is available in related advisories, including the GitHub issue at https://github.com/newbee-ltd/newbee-mall/issues/119 and the VulnCheck advisory at https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover, which detail steps to change or remove default credentials during deployment.

Details

CWE(s): CWE-798

Affected Products

newbee-mall project

newbee-mall

≤ 1.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

The vulnerability provides pre-seeded default administrator accounts with predictable passwords, directly enabling exploitation via valid default accounts (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/newbee-ltd/newbee-mall/issues/119
Exploit, Issue Tracking, Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover
Third Party Advisory · disclosure@vulncheck.com