Vulnerability Description
Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-1814?
CVE-2026-1814 is a documented vulnerability. Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, th...
How severe is CVE-2026-1814?
CVSS scoring is not yet available for CVE-2026-1814. Check NVD for updates.
Is there a patch for CVE-2026-1814?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.