OpenAtlas <=8.11.0 Hardcoded Admin Credentials Vulnerability (CVE-2025-51536)

Key Information Vulnerability Details CVE-ID: CVE-2025-51536 Product: OpenAtlas Vendor: Austrian Academy of Sciences (Österreichische Akademie der Wissenschaften) Affected Versions: <= 8.11.0 Fixed Version: 8.12.0 CVSS v3.1: 9.8 Critical CWE: CWE-1932 References: - OpenAtlas Release Notes - NVD (National Vulnerability Database) - EUVD (European Union Vulnerability Database) Vulnerability Description Issue: A hardcoded administrator account exists in default installations and is publicly visible on GitLab. Impact: - If the password is not changed, this globally known login remains active and holds full administrative privileges. - External attackers can immediately register and fully take over the application. Vendor Statement New installations do not create any users (via installation), and when creating an admin user, a prompt to set a new password is enforced. The vulnerability is resolved by ensuring that admin user creation is done only once. Recommended Actions Upgrade to version [8.12.0] Temporary mitigation: Change the administrator password Timeline May 19, 2025: Vulnerability discovered during On-Premise testing. May 21, 2025: First contact with vendor. May 22, 2025: Confirmation received from vendor. May 26, 2025: Report sent to vendor. June 9, 2025: Vendor confirms vulnerability has been fixed. June 10, 2025: Re-test scheduled. June 12, 2025: Re-test successful, report updated and sent to vendor.

Goal Reached Thanks to every supporter — we hit 100%!

OpenAtlas <=8.11.0 Hardcoded Admin Credentials Vulnerability (CVE-2025-51536)