CVE-2026-26218
Published: 12 February 2026
Summary
CVE-2026-26218 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Newbee-Mall Project Newbee-Mall. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires changing default authenticators prior to first use, preventing exploitation of predictable passwords on pre-seeded administrator accounts.
Mandates proper account provisioning, review, and disabling of unnecessary or inactive accounts, ensuring default admin accounts are removed or secured after database initialization.
Requires establishing and enforcing secure configuration settings that prohibit default credentials in application deployments, addressing the vulnerability in database schema initialization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability provides pre-seeded default administrator accounts with predictable passwords, directly enabling exploitation via valid default accounts (T1078.001).
NVD Description
newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow…
more
unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
Deeper analysisAI
CVE-2026-26218, published on 2026-02-12, is a critical vulnerability in the newbee-mall application, stemming from pre-seeded administrator accounts included in its database initialization script (CWE-798). These accounts are provisioned with predictable default passwords. Deployments that initialize or reset the database using the provided schema and fail to change these default administrative credentials are susceptible to exploitation. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability by attempting to log in with the known default credentials. Successful authentication grants full administrative control of the application, enabling attackers to perform arbitrary actions such as data manipulation, user management, or further system compromise.
Mitigation guidance is available in related advisories, including the GitHub issue at https://github.com/newbee-ltd/newbee-mall/issues/119 and the VulnCheck advisory at https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover, which detail steps to change or remove default credentials during deployment.
Details
- CWE(s)