The application contains a hard-coded password within its source code, binary, configuration, or authentication logic. Hard-coded passwords create a serious authentication weakness because the same secret may be reused across deployments and can be extracted by anyone with access to the codebase, build artifacts, binaries, configuration files, or runtime environment. If discovered, an attacker may use the password to authenticate as the affected account, access protected functionality, connect to backend systems, or escalate privileges.

This issue is especially risky because hard-coded passwords are difficult to rotate, audit, and revoke without modifying and redeploying the application. If the password is shared across environments or installations, compromise of one instance may expose many others.

Remediation

Remove the hard-coded password and store secrets in a secure secret-management system, encrypted configuration store, or environment-specific protected configuration. Ensure secrets are unique per environment, access-controlled, rotated regularly, and never committed to source control. For inbound authentication, require users or administrators to set a unique strong password during first setup instead of relying on a default hard-coded value. For stored passwords, use strong one-way password hashing with unique salts rather than reversible or plaintext storage.