CVE-2026-8668
CVE-2026-8668 is a low-severity vulnerability with a CVSS 4.0 base score of 2.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-523.
Key facts
- Severity: Low (CVSS 4.0 base score 2.3)
- EPSS exploit prediction: 0% (7th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-37956
- Weakness: CWE-523
- Published:
- Last modified:
Description
A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues. Queue messages contained tenant-specific identifiers. The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.
Frequently asked questions
- What is CVE-2026-8668?
- A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues. Queue messages contained tenant-specific identifiers. The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.
- How severe is CVE-2026-8668?
- CVE-2026-8668 has a CVSS 4.0 base score of 2.3, rated low severity.
- Is CVE-2026-8668 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (7th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-8668?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-8668 have an EU (EUVD) identifier?
- Yes. CVE-2026-8668 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-37956.
- When was CVE-2026-8668 published?
- CVE-2026-8668 was published on 2026-06-18 and last updated on 2026-06-22.
References
Other CWE-523 vulnerabilities
- CVE-2024-1509 — Critical (CVSS 9.1): Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response…
- CVE-2025-57800 — High (CVSS 8.8): Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does…
- CVE-2025-61121 — High (CVSS 7.5): Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd.,…
- CVE-2023-31277 — High (CVSS 7.5): PiiGAB M-Bus transmits credentials in plaintext format.
- CVE-2022-31805 — High (CVSS 7.5): In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication…
- CVE-2025-64309 — High (CVSS 7.4): The affected product discloses device telemetry, configuration, and sensitive information via WebSocket traffic to…