CVE-2026-6043

HIGH

Insecure Default Configuration in P4 Server

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-6043. PoCs published by flyingllama87.

AI-analyzed exploit summary This repository contains functional exploit code targeting Perforce Helix Core servers with insecure defaults (CVE-2026-6043). It includes tools for unauthenticated user enumeration, password brute-forcing, and remote depot access via the 'remote' user. The tools leverage the Perforce binary protocol (port 1666) to exploit misconfigurations like unauthenticated user listing and lack of rate-limiting.

Description

P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations

Exploits (1)

nomisec WORKING POC

by flyingllama87 · poc

https://github.com/flyingllama87/p4wned

View Code ZIP pw:eip

This repository contains functional exploit code targeting Perforce Helix Core servers with insecure defaults (CVE-2026-6043). It includes tools for unauthenticated user enumeration, password brute-forcing, and remote depot access via the 'remote' user. The tools leverage the Perforce binary protocol (port 1666) to exploit misconfigurations like unauthenticated user listing and lack of rate-limiting.

Classification

Working Poc 95%

Attack Type

Info Leak | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Perforce Helix Core Server (versions below 2025.1 with security < 4)

No auth needed

Prerequisites: Perforce CLI binary (p4) · local p4d instance for remote depot scanning · Perforce C++ API for brute-force tool

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 27, 2026 Full analysis →

References (3)

Core 3

Core References

X_Workaround x_workaround mitigation

https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/security-configurables.html

X_Workaround, Mitigation x_workaround mitigation

https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/secure-by-default-overview.html

https://portal.perforce.com/s/cve/a91Qi000002wRUvIAM/insecure-default-configuration-in-p4-server

Scores

CVSS v4 8.8

EPSS 0.0046

EPSS Percentile 36.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1188

Status published

Products (1)

Perforce/Helix Core Server (P4D) < 2025.2

Published Apr 24, 2026

Tracked Since Apr 24, 2026