CVE-2026-9142 | There is an insecure default credentials vulnerability in NI… | CVSS 9.1 CRITICAL

Description

There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback. This may allow an unauthenticated user access to the server on the local network. This affects NI grpc-device 2.17.0 and prior versions.

Metadata

CVE ID: CVE-2026-9142
State: PUBLISHED
Assigner: NI
Reserved: 2026-05-20 19:51 UTC
Published: 2026-06-19 13:41 UTC
Last updated: 2026-06-19 13:41 UTC
Primary CWE: CWE-306
CWE-306 Missing authentication for critical function
Vendor / Product: NI / grpc-device
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products (2)

Vendor	Product	Platform	Versions
NI	grpc-device	—	0 ≤ 2.17.0
NI	InstrumentStudio	—	0 ≤ 26.3.0

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306 Missing authentication for critical function

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
9.1	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (2)