External risk intelligence

NornicDB database accessible to anyone on your network due to configuration error

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-42072

NornicDB is incorrectly accessible to the entire local network, allowing an internal attacker to use default credentials to gain full administrative control. This could lead to unauthorized access to sensitive business data.

2Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-42072

The vulnerability affects a database service that incorrectly binds to all network interfaces on a local area network. Databases are standard backend infrastructure typically isolated within internal environments. While the flaw creates unintended reachability within a local network, direct exposure to the public internet is not the standard deployment pattern.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in NornicDB allows the graph database to be accessible on all network interfaces, even when configured otherwise. This means devices on the same local network could potentially access sensitive database information, especially with default credentials. Teams should pay attention because this could expose critical data within their internal network.

  • Unintended local network access.
  • Exposes sensitive data.
  • Default credentials increase risk.

Attack Path

How an attacker could exploit the issue

An attacker on the same local network can exploit this by targeting the Nornicdb service. The flaw allows the Bolt listener to bind to all interfaces, exposing the database with default credentials to any device on the LAN. This grants unauthorized access to sensitive graph data.

  • Attacker requires LAN access.
  • Targets Bolt listener binding.
  • Default credentials are used.

Live Threat

Current exploitation, exposure, and threat context

The current threat picture for this CVE is likely limited to internal network reconnaissance and lateral movement. Attackers would need to be present on the same local network to exploit the database's default credentials and potentially gain access to sensitive data. Public internet exploitation is not the primary concern due to the nature of database deployments.

  • Local network access required.
  • Default credentials are a target.
  • Patch is available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Nornicdb instances to version 1.0.42-hotfix immediately, as the default credentials and network binding issue expose the database to unauthorized access on local networks. If patching is delayed, isolate affected Nornicdb services from the network to prevent lateral movement or data exfiltration.

  • Patch Nornicdb to v1.0.42-hotfix.
  • Isolate affected services if patching is delayed.
  • Monitor network traffic for suspicious database access.

Frequently asked questions

What is Nornicdb and what does it do?

Nornicdb is a distributed, low-latency graph and vector database. It supports temporal MVCC and sub-millisecond HNSW search, graph traversal, and write operations, making it suitable for applications requiring fast data manipulation and access.

What type of weakness does CVE-2026-42072 represent?

CVE-2026-42072 represents a configuration error, specifically a weakness classified as CWE-1392. The database's network listener incorrectly binds to all available network interfaces, irrespective of user-defined settings, creating potential unintended access.

How can an attacker exploit CVE-2026-42072, and what is the scope of impact?

An attacker on the same local network can exploit this by targeting the Nornicdb service. The Bolt listener binds to all interfaces, exposing the database with default credentials to any device on the LAN. This grants unauthorized access to sensitive graph data within the local network.

What is the relevance of CVE-2026-42072, considering threat advisories?

The current threat for CVE-2026-42072 is primarily internal network reconnaissance and lateral movement. Attackers need to be on the same local network to exploit the database's default credentials. Public internet exploitation is unlikely due to typical database deployment patterns. The security advisory for this vulnerability is available at GHSA-2hp7-65r3-wv54.

What is the recommended practical response to CVE-2026-42072?

The immediate and recommended action is to patch Nornicdb instances to version 1.0.42-hotfix. If patching is delayed, isolate affected Nornicdb services from the network to prevent unauthorized access and monitor network traffic for suspicious database activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified