CVE-2026-6043: P4 Server Auth Bypass Vulnerability

CVE-2026-6043 Overview

CVE-2026-6043 is an insecure default configuration vulnerability affecting Perforce P4 Server versions prior to 2026.1. When exposed to untrusted networks, these default settings allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in remote user. These combined weaknesses can lead to unauthorized access to source code repositories and other managed assets.

Critical Impact

Unauthenticated attackers can gain unauthorized access to source code repositories and managed assets through multiple insecure default settings, potentially leading to intellectual property theft and supply chain compromise.

Affected Products

• Perforce P4 Server versions prior to 2026.1
• Perforce Helix Core Server with default configurations
• P4 Server instances exposed to untrusted networks

Discovery Timeline

• 2026-04-24 - CVE-2026-6043 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-6043

Vulnerability Analysis

This vulnerability falls under CWE-1188 (Insecure Default Initialization of Resource), where the P4 Server ships with default configurations that prioritize ease of use over security. The issue is particularly concerning because it combines multiple insecure defaults that, when present together, create a significant attack surface for unauthorized access.

The vulnerability enables several attack scenarios: attackers can enumerate existing user accounts to gather intelligence about the organization, create new arbitrary user accounts for persistent access, authenticate to any account that lacks a password, and leverage the built-in remote user to access depot contents directly. This combination of weaknesses is especially dangerous in environments where the P4 Server is accessible from untrusted networks.

Root Cause

The root cause is insecure default initialization of security-critical resources in P4 Server. The server ships with permissive settings that allow unauthenticated operations, do not enforce password requirements, and include a built-in remote user with access privileges. These defaults were likely designed for ease of initial setup and internal network usage but become severe vulnerabilities when the server is exposed to broader network access.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to a vulnerable P4 Server can exploit these insecure defaults remotely. The attack does not require any privileges, making it accessible to any threat actor who can reach the server.

The exploitation process involves identifying an exposed P4 Server, then leveraging the permissive defaults to enumerate users, create accounts, or authenticate without credentials. The built-in remote user provides a reliable entry point for accessing depot contents. For detailed technical information about secure configuration practices, see the Perforce Secure by Default Overview.

Detection Methods for CVE-2026-6043

Indicators of Compromise

• Unexpected user account creation in P4 Server logs
• Authentication attempts using the remote user from external IP addresses
• User enumeration queries from untrusted network sources
• Successful authentications to accounts that should require passwords
• Unusual depot access patterns from newly created or unknown user accounts

Detection Strategies

• Monitor P4 Server authentication logs for login attempts from external or unexpected IP ranges
• Alert on new user account creation, especially from unauthenticated sources
• Audit access logs for the built-in remote user account activity
• Review server configuration to identify instances with default security settings still in place

Monitoring Recommendations

• Implement network monitoring for P4 Server traffic from untrusted network segments
• Configure SIEM rules to detect user enumeration patterns and brute-force authentication attempts
• Enable detailed audit logging on P4 Server to capture all authentication and authorization events
• Regularly review user account lists for unauthorized or suspicious accounts

How to Mitigate CVE-2026-6043

Immediate Actions Required

• Upgrade to P4 Server version 2026.1 or later, which enforces secure-by-default configurations
• Restrict network access to P4 Server instances to trusted networks only using firewalls or network segmentation
• Disable or secure the built-in remote user account immediately
• Enforce password requirements for all user accounts
• Audit existing user accounts for unauthorized entries

Patch Information

Perforce has addressed this vulnerability in the 2026.1 release, which enforces secure-by-default configurations on both new installations and upgrades. Organizations should upgrade to version 2026.1 or later as soon as possible. For detailed information about the secure configuration changes, refer to the Perforce CVE Advisory and the Perforce Secure by Default Overview.

Workarounds

• Implement network-level access controls to restrict P4 Server access to trusted networks and authorized IP ranges
• Configure authentication triggers to enforce password requirements and prevent unauthenticated access
• Disable or remove the remote user account if not required for legitimate operations
• Implement IP-based access restrictions using P4 Server's protection table mechanisms
• Deploy a reverse proxy or VPN to add an additional authentication layer before P4 Server access

Configuration hardening should follow Perforce's secure-by-default guidance. Administrators should review the Perforce Secure by Default Overview for detailed configuration recommendations to harden existing deployments prior to upgrading to version 2026.1.