lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Adobe Experience Manager

Adobecms4 credentials1 default credential

Credentials4 documented
01

Default Administrator Account

adobe-experience-manager / default-admin

AEM quickstart installations include the built-in admin account used for initial author/publish administration. Adobe hardening guidance calls out changing default passwords and securing default accounts.

static defaultuser definedsecretusername/password

Default credentials

admin:admin

Location

public interface
AEM author/publish login, CRXDE Lite, Felix console, Package Manager, and Sling endpoints
database

JCR/Oak repository user and token nodes

config file

quickstart startup scripts, OSGi configs, runmode configs, and provisioning files

artifact

AEM package exports, repository backups, and quickstart snapshots

Notes

admin/admin is an initial/development credential and should be changed or disabled for production hardening.

02

Repository / Service User Password

adobe-experience-manager / repository-user-password

AEM stores local repository users, service users, and application accounts in the JCR/Oak repository for authoring, replication, package management, and integrations.

user definedgenerated on installsecretusername/password

Location

database

JCR/Oak repository users, groups, rep:password hashes, and service user mappings

public interface
AEM login, Sling servlets, CRXDE, package manager, and replication endpoints
secret store

password vaults, Cloud Manager variables, and deployment secrets

source code

content packages, repoinit scripts, tests, and runmode configs

logs

request.log, audit logs, error.log, and authentication traces

03

OSGi, Crypto Support, and Integration Secrets

adobe-experience-manager / osgi-and-crypto-secrets

AEM OSGi configurations can hold SMTP passwords, LDAP bind credentials, dispatcher flush secrets, OAuth/client secrets, database credentials, replication agent passwords, and the Crypto Support master key material.

generated on installuser definedsecretsecret value

Looks like

pattern
pattern

AEM encrypted OSGi configuration value produced by Crypto Support

\{[A-Za-z0-9+/=]+\}

Location

config file
crx-quickstart/launchpad/config, crx-quickstart/conf

OSGi configs, runmode configs, crypto keys, and connector settings

database

JCR configuration nodes for replication agents and integration credentials

secret store

AEM Crypto Support, Cloud Manager secrets, Kubernetes Secrets, and vaults

source code

committed OSGi config files, content packages, and deployment repos

logs

replication, LDAP, mail, and connector debug logs

04

Login Token / OAuth Token

adobe-experience-manager / api-session-token

AEM issues login tokens and may store OAuth/access tokens for integrations with Adobe and third-party services.

generated on installuser definedsecrettoken

Location

http header
Cookie

AEM login-token and session cookies

http header
Authorization

Bearer/OAuth tokens used by integrations and Sling clients

database

JCR token nodes and OAuth/client credential storage

logs

HTTP traces, request logs, and client debug output

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.