Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.Referenceshttps://docs.couchbase.com/server/current/release-notes/relnotes.htmlhttps://www.couchbase.com/alerts
