Helix Core flags insecure defaults exposing source code depots

TL;DR — P4 Server ships insecure-by-default in older releases. If your p4d is reachable from untrusted networks, the built-in remote user and related defaults can enable unauthenticated depot access and account creation.

What happened

Helix Core Server (p4d) is Perforce’s central version-control server for hosting and controlling access to source code depots.

CVE-2026-6043 is an “insecure defaults” issue: P4 Server versions prior to 2026.1 can be deployed with default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate users, authenticate to accounts with no password set, and access depot contents via the built-in remote user. CVSS v4.0 base score is 8.8 (High).

This is the failure mode platform teams dread: internet-reachable source control with permissive defaults turns into source code exfiltration and credential pivoting risk, often at scan scale.

Who is impacted

• Organizations running Perforce Helix Core Server (p4d) in the affected range.
• Any deployment where the P4 Server is reachable from untrusted networks (internet or low-trust internal segments).

What to do now

• Follow vendor remediation guidance and apply the secure-by-default release when available.

  "Upgrade to P4 Server (P4D) version 2026.1 or later, expected in May 2026, which enforces secure-by-default configurations on both new installations and upgrades."

• If you cannot upgrade immediately, apply the vendor’s documented hardening guidance.

  "For installations that cannot immediately upgrade to 2026.1, administrators should apply manual hardening by configuring security-related server settings as documented at https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/security-configurables.html."

• Operational triage for platform teams:
  • Inventory all p4d instances and verify whether any are exposed to untrusted networks.
  • Review authentication posture and user provisioning controls, especially around defaults that permit user enumeration, auto-creation, or access via remote.
  • If you suspect unauthorized access, treat this as potential source-code exposure: review access logs for unexpected depot reads and rotate credentials/secrets reachable to systems that ingest from the depot (CI, build agents, deploy keys).