Cyber Resilience

CVE-2026-26218

CriticalPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26218 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Newbee-Mall Project Newbee-Mall. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-26218, published on 2026-02-12, is a critical vulnerability in the newbee-mall application, stemming from pre-seeded administrator accounts included in its database initialization script (CWE-798). These accounts are provisioned with predictable default passwords. Deployments that initialize or reset the database using the provided schema and fail to change these default administrative credentials are susceptible to exploitation. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability by attempting to log in with the known default credentials. Successful authentication grants full administrative control of the application, enabling attackers to perform arbitrary actions such as data manipulation, user management, or further system compromise.

Mitigation guidance is available in related advisories, including the GitHub issue at https://github.com/newbee-ltd/newbee-mall/issues/119 and the VulnCheck advisory at https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover, which detail steps to change or remove default credentials during deployment.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow…

more

unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability provides pre-seeded default administrator accounts with predictable passwords, directly enabling exploitation via valid default accounts (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26219Same product: Newbee-Mall Project Newbee-Mall
CVE-2026-22900Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2026-25803Shared CWE-798
CVE-2025-33089Shared CWE-798

Affected Assets

newbee-mall project
newbee-mall
≤ 1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires changing default authenticators prior to first use, preventing exploitation of predictable passwords on pre-seeded administrator accounts.

prevent

Mandates proper account provisioning, review, and disabling of unnecessary or inactive accounts, ensuring default admin accounts are removed or secured after database initialization.

prevent

Requires establishing and enforcing secure configuration settings that prohibit default credentials in application deployments, addressing the vulnerability in database schema initialization.

References