CVE-2026-1814 MEDIUM

CVE-2026-1814: Rapid7 Nexpose Insecure Java Keystore Password Generation

Vendor Rapid7

Product InsightVM/Nexpose

Weakness CWE-331

Published February 3, 2026

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Local

Attack complexity High

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

Description

Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.

Key dates

Disclosure timeline

February 3, 2026 CVE published

February 26, 2026 Record updated