Critical Vulnerability Information Vulnerability Overview Title: Admin account has insecure default password Severity: Critical (9.8/10) CVE ID: CVE-2025-8077 Affected Scope Affected Versions: >= 5.0.0, < 5.4.6 Fixed Version: 5.4.6 Description Issue: In NeuVector versions 5.4.5 and earlier, the built-in admin account uses a fixed string as the default password. If this password is not changed immediately after deployment, any workload with network access can use the default credentials to obtain an authentication token and perform any operation via the NeuVector API. Earlier Versions: NeuVector previously supported setting the default (bootstrap) password via the Kubernetes Secret . If NeuVector cannot retrieve this value, it falls back to a fixed default password. Mitigation Fixed Version: 5.4.6 and later. Recommendation: Strongly recommend changing the default admin password to a secure password during rolling upgrades. RBAC Permissions: Starting with version 5.4.6, NeuVector introduces additional Kubernetes RBAC permissions to ensure the bootstrap password can be securely managed via Secrets. Post-Patch Behavior Upgrade: NeuVector will not reset any existing user passwords. It is strongly recommended to change the default admin password. New Deployment: If is not set in , NeuVector will generate a secure password and store it in the same Secret. Workaround for Existing Deployments For existing vulnerable versions, immediately log in to the NeuVector UI after deployment and update the default admin password. References Contact the SUSE Rancher Security team for security-related inquiries. Open an issue in the NeuVector repository. Review the support matrix and product support lifecycle.