Title: [Hardening] F-13: Weak Default Password and Database Encryption Key. · Issue #13341 · apache/cloudstack · GitHub
Open Graph Title: [Hardening] F-13: Weak Default Password and Database Encryption Key. · Issue #13341 · apache/cloudstack
X Title: [Hardening] F-13: Weak Default Password and Database Encryption Key. · Issue #13341 · apache/cloudstack
Description: The required feature described as a wish Description: CloudStack ships with a default administrative password and database encryption key, both set to the string "password". Neither value is randomized at install time, and the administra...
Open Graph Description: The required feature described as a wish Description: CloudStack ships with a default administrative password and database encryption key, both set to the string "password". Neither value is random...
X Description: The required feature described as a wish Description: CloudStack ships with a default administrative password and database encryption key, both set to the string "password". Neither value...
Opengraph URL: https://github.com/apache/cloudstack/issues/13341
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Hardening] F-13: Weak Default Password and Database Encryption Key.","articleBody":"### The required feature described as a wish\n\n\u003cimg width=\"899\" height=\"440\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/893a3099-dcd5-4697-b213-54bbbfc76d45\" /\u003e\n\n**Description:** CloudStack ships with a default administrative password and database encryption key, both set to the string \"password\". Neither value is randomized at install time, and the administrator is not prompted to change them during setup. Note that the database encryption key cannot be changed afterwards.\n\n**Affected Components:** Management\n\n**Impact:** An attacker with knowledge of the default credentials, which are publicly documented, can authenticate to the CloudStack Management UI without any prior reconnaissance or effort. Additionally, if the database encryption key is not changed, an attacker who gains read access to the database (e.g., via SQL injection, a misconfigured backup, or direct server access) can decrypt all protected fields, including API secret keys, passwords, and other credentials, using the known default key.\n\n**Steps to Reproduce:**\n- Deploy a fresh CloudStack instance following the official documentation.\n- Attempt to log in using the username `admin` and the password `password`.\n- Observe that login succeeds without any prompt to change the default password.\n- Separately, inspect the database encryption key on the management server:\n- $ cat /etc/cloudstack/management/key\n- Observe that the encryption key is set to the default value `password`.\n\n**Recommended Remediation:** Generate a unique password and database encryption key from a reliable source of entropy during installation (before the system becomes operational). Neither value should have a usable default.","author":{"url":"https://github.com/davift","@type":"Person","name":"davift"},"datePublished":"2026-06-04T01:04:25.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":5},"url":"https://github.com/13341/cloudstack/issues/13341"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:0300d33c-2867-0565-cf5b-f77cdc8893a6 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D27E:3D1D09:2F090:41982:6A4D0ECA |
| html-safe-nonce | 26d77e7fe0fa9107905d3b3c1b88ce8efb2ce14bc65c29de43d39ddd72134ec9 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEMjdFOjNEMUQwOToyRjA5MDo0MTk4Mjo2QTREMEVDQSIsInZpc2l0b3JfaWQiOiI2NjI0MDk4NjAzNjg5OTUzMSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 9d28ee1de4d5ceec2204902389e0d9bd524cde845d46c65d6b6b869e5d1fc60a |
| hovercard-subject-tag | issue:4584870405 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13341/issue_layout |
| twitter:image | https://opengraph.githubassets.com/359f76c696e37bfdd0060f1c68a0b63261d080454df2b68ec0f4575d5e07944b/apache/cloudstack/issues/13341 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/359f76c696e37bfdd0060f1c68a0b63261d080454df2b68ec0f4575d5e07944b/apache/cloudstack/issues/13341 |
| og:image:alt | The required feature described as a wish Description: CloudStack ships with a default administrative password and database encryption key, both set to the string "password". Neither value is random... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | davift |
| hostname | github.com |
| expected-hostname | github.com |
| None | bcb4661e6fb4fe8b394c51ea02ccdb2236d40dc59afc75a3bbba50bf6517134c |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | fb70bd3c4b2bec429781b65419e912c66e2d5581 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width