CVE-2026-42072

Critical

Published: 08 May 2026

Published

08 May 2026

Modified

08 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42072 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CM-1 Policy and Procedures

addresses: CWE-1392

Mandates replacement of default credentials during secure configuration and provisioning procedures.

IA-1 Policy and Procedures

addresses: CWE-1392

Policy requires changing or avoiding default credentials during system setup and operation.

IA-2 Identification and Authentication (Organizational Users)

addresses: CWE-1392

Unique identification requirement prevents use of default or shared credentials by organizational users.

IA-5 Authenticator Management

addresses: CWE-1392

Changing default authenticators prior to first use prevents use of default credentials.

IA-7 Cryptographic Module Authentication

addresses: CWE-1392

Standards-compliant authentication mechanisms typically prohibit default credentials for cryptographic modules.

PM-30 Supply Chain Risk Management Strategy

addresses: CWE-1392

Consistent implementation of the strategy drives removal or mitigation of default credentials in procured systems and services.

SA-4 Acquisition Process

addresses: CWE-1392

Security functional requirements and acceptance criteria can stipulate that acquired systems must not use default credentials.

SA-5 System Documentation

addresses: CWE-1392

Documentation of known configuration vulnerabilities and secure setup practices reduces reliance on default credentials.

NVD Description

Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but…

never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database — with its default admin:password credentials — to any device sharing the network. This issue has been patched in version 1.0.42-hotfix.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-1392

CVEs Like This One

CVE-2026-1972Shared CWE-1392

CVE-2025-30139Shared CWE-1392

CVE-2025-8731Shared CWE-1392

CVE-2026-26341Shared CWE-1392

CVE-2025-1160Shared CWE-1392

CVE-2025-34516Shared CWE-1392

CVE-2025-23012Shared CWE-1392

CVE-2025-0482Shared CWE-1392

CVE-2025-2398Shared CWE-1392

CVE-2026-26366Shared CWE-1392

References

https://github.com/orneryd/NornicDB/commit/adce4f9a9fc7b6aada07c0bfa2d737cd7a6efaca
security-advisories@github.com
https://github.com/orneryd/NornicDB/releases/tag/v1.0.42
security-advisories@github.com
https://github.com/orneryd/NornicDB/security/advisories/GHSA-2hp7-65r3-wv54
security-advisories@github.com