## HCAdmin Authentication Flaws Expose PG+ to Brute-Force Attacks Prior to Version 2026.1.1 A newly disclosed security advisory identifies two authentication vulnerabilities in HCAdmin, a component of the PG+ platform, affecting all versions prior to 2026.1.1. The flaws, rated High severity, expose systems to potential brute-force attacks and improper privilege assignment during login sequences, prompting urgent calls for operators to update to the patched release. The first vulnerability centers on a critical absence of rate limiting within the authentication handler for the `hc_passwd` challenge mechanism. This directive in `config.msg` is designed to facilitate bootstrapping of new PG+ instances or recovery procedures when no HCAdmin player files (pfiles) exist. When an administrator attempts to log in as a user defined in the `hcadmins` list who does not yet have a pfile, the system challenges them for the `hc_passwd`. The technical documentation indicates the handler fails to implement protections against repeated login attempts, creating conditions favorable to automated attacks. The second identified flaw involves improper privilege assignment during the login sequence, though technical specifics remain limited in the available advisory documentation. The `hc_passwd` mechanism activates specifically when an administrator with `hcadmins` status lacks an existing pfile, triggering a bootstrap or recovery authentication flow. Organizations running PG+ deployments are strongly encouraged to verify their current version and apply the 2026.1.1 update. The advisory does not indicate whether active exploitation has been observed in the wild, but the absence of rate limiting represents a structural weakness that could be leveraged by threat actors conducting credential-based attacks. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: authentication-vulnerability, brute-force, privilege-escalation, pg-plus, security-patch - **Credibility**: unverified - **Published**: 2026-05-01 03:54:06 - **ID**: 78774 - **URL**: https://whisperx.ai/en/intel/78774