CVE-2026-1814 – Rapid7 Nexpose Insecure Java Keystore Password Generation

CVE ID : CVE-2026-1814

Published : Feb. 3, 2026, 2:54 p.m. | 23 minutes ago

Description : Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix ‘p’, resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…