{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": "publicly known default administrator credentials submitted to the authentication endpoint",
    "claimed_surface": "api_remote",
    "expected_impact": "authz_bypass",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": "login/authentication endpoint of AutoBangumi",
    "required_entrypoint_kind": "authenticate",
    "submission_reason": "ticket_derived_llm",
    "trigger_class": "service_api",
    "upstream_verdicts": {
      "claim_extraction": {
        "confidence": "high",
        "model": "accounts/fireworks/models/kimi-k2p7-code",
        "reason": "Ticket describes a hard-coded default admin account seeded on empty databases, with unauthenticated attackers able to authenticate via the login endpoint using publicly known credentials and gain full administrative access.",
        "source": "llm"
      }
    }
  },
  "latest_description": "## Summary\nAutoBangumi versions prior to 3.2.8 create a default administrator account when the users table is empty. The credentials are hard-coded and publicly known, enabling unauthenticated attackers to log in via the authentication endpoint and obtain full administrative access to the application.\n\n## Affected Package\n- **Name:** AutoBangumi\n- **Ecosystem:** other (standalone application)\n- **Vulnerable Versions:** < 3.2.8\n- **Patched Version:** 3.2.8\n\n## Details\nThe application calls `add_default_user()` in the database user module when the users table is empty. This seeds a default admin account with fixed, publicly known credentials. An attacker can submit these credentials to the login endpoint to authenticate as an administrator, gaining access to RSS feed configuration, downloader configuration, and all authenticated API endpoints.\n\n## Reproduction Steps\n> Note: The specific default credentials are referenced in upstream advisory/issue but are not included in the NVD entry.\n1. Deploy AutoBangumi **version < 3.2.8** in a fresh environment (empty database / users table).\n2. Start the application so the startup routine triggers `add_default_user()`.\n3. Send a login request to the authentication endpoint (e.g., via the web UI or API) using the **publicly known default credentials** documented by the project (see references).\n4. Upon successful authentication, navigate to admin-only areas (e.g., RSS feed configuration, downloader configuration, or authenticated API endpoints).\n\n## Indicators of Success\n- Login succeeds using default credentials without prior user creation.\n- The session has administrator privileges and can access/administer configuration and protected API endpoints.\n\n## Impact\nUnauthenticated attackers can gain full administrative control of the AutoBangumi instance.\n",
  "product": "other:AutoBangumi",
  "severity": "critical",
  "status": "open",
  "summary": "AutoBangumi before 3.2.8 seeds a default admin account on empty databases, allowing unauthenticated users to log in with publicly known default credentials and gain full control.",
  "ticket_id": "CVE-2026-58466"
}