SecuriTricks - CVE-2026-42072

Description

Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database — with its default admin:password credentials — to any device sharing the network. This issue has been patched in version 1.0.42-hotfix.

Product(s) Impacted

Vendor	Product	Versions
Nornicdb	Nornicdb	<1.0.42-hotfix, 1.0.42-hotfix

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1392

Use of Default Credentials

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	nornicdb	nornicdb	<1.0.42-hotfix	/	/	/	/	/	/	/
a	nornicdb	nornicdb	1.0.42-hotfix	/	/	/	/	/	/	/

References

https://github.com/orneryd/NornicDB/commit/adce4f9a9fc7b6aada07c0bfa2d737cd7a6efaca

https://github.com/orneryd/NornicDB/releases/tag/v1.0.42

https://github.com/orneryd/NornicDB/security/advisories/GHSA-2hp7-65r3-wv54

CVSS Score

9.8 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: May 8, 2026, 5:16 p.m.
Last Modified: May 8, 2026, 5:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-42072