P4 Server Insecure Default Configuration Allowing Unauthorized User Account Creation and Access to Depot Contents
Vulnerability
A vulnerability exists in P4 Server (P4D) versions prior to 2026.1, where insecure default settings allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, and access depot contents through the built-in 'remote' user. This vulnerability arises when the server is exposed to untrusted networks, leading to unauthorized access to source code repositories and other managed assets.
Impact
Exploitation of this vulnerability could result in unauthorized access to user accounts and depot contents, allowing for potential misuse of source code repositories and managed assets.
Remediation
Users of P4 Server (P4D) versions prior to 2026.1 should manually configure security-related server settings to harden their installation. Instructions for applying these security enhancements are available in the P4 Server Security Guidelines. The 2026.1 release will include automatic remediation for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.