[SECURITY] Default administrative credentials (admin:admin) enabled by default #227
Description
Describe the security issue
Open Integration Engine (OIE) is shipped with a default administrative account using the credentials admin:admin.
Although the documentation advises users to change this password after installation, this is not technically enforced by the application. https://github.com/OpenIntegrationEngine/engine/blob/eb363621ed38d0c54a2a95dac30bcddd3ae08cc6/server/docs/README.txt#L49
As a result, OIE instances can be deployed with well-known default credentials still active. These credentials are universally known and are automatically attempted by common scanning and credential-spraying tools, leading to trivial administrative compromise when such instances are reachable.
Vulnerability Location
OIE codebase itself, default authentication configuration and initial setup logic.
This issue is not related to a third-party library.
Environment (please complete the following information if it is applicable to the issue)
x
Suggested remediation
Enforce secure credential handling during initial setup, for example:
- Require a mandatory password change on first administrative login
- Prevent application startup until a non-default admin password is configured
- Generate a unique, strong admin password at installation time and display it once
- Explicitly block authentication when default credentials are detected
- Enforce minimum password length and complexity requirements
Relying solely on documentation to mitigate this risk is insufficient in practice.
Additional context
Default administrative credentials such as admin:admin are widely abused and hardcoded into common security tooling.