Clawvet API Hard-Coded JWT Secret Exposes User Data
A critical vulnerability in the Clawvet self-hosted API server allows unauthenticated attackers to forge session cookies and hijack user accounts.
Clawvet self-hosted API server versions prior to 0.7.5 contain a critical vulnerability (CVE-2026-62241) involving a hard-coded fallback JSON Web Token (JWT) secret. With a CVSS score of 9.1, this flaw enables remote, unauthenticated attackers to forge valid session tokens and gain unauthorized access to sensitive user information, including API keys and subscription details.
What's at Risk
The vulnerability affects all self-hosted deployments of the Clawvet API (apps/api) running versions earlier than 0.7.5. Organizations utilizing this software for API management or scan record tracking are at high risk, particularly those with internet-facing deployments where the service is exposed to public traffic.
Because the hard-coded secret ('clawvet-dev-secret-change-me') is publicly known and documented in the project's example environment files, any instance that has not updated its configuration is essentially open to account takeover. The risk is compounded by the fact that the API's scan endpoint does not require authentication, allowing attackers to easily harvest the necessary identifiers to facilitate their exploit.
How the Flaw Works
This vulnerability stems from the use of hard-coded credentials, a common security weakness where sensitive information—such as cryptographic keys or passwords—is embedded directly into the source code or default configuration files. In a production environment, this is dangerous because it bypasses the security intent of authentication mechanisms. If an attacker knows the secret used to sign a token, they can generate their own valid tokens, effectively impersonating any user or administrator within the system without ever needing a valid password.
When an application fails to rotate these secrets or relies on default values provided during development, it creates a permanent back door. Attackers typically use this class of flaw to escalate privileges, access private data, or maintain persistent access to the back-end infrastructure. It is a fundamental principle of secure development that secrets should be managed through secure vaults or environment-specific variables, never stored within the application's repository.
How to Protect Your Systems
- Immediately update your Clawvet API installation to version 0.7.5 or later to remove the hard-coded fallback secret.
- If you have been running a vulnerable version, assume all existing sessions are compromised and rotate all API keys associated with your Clawvet instance.
- Ensure that your production environment variables are configured with a strong, unique, and randomly generated JWT secret that is not derived from default templates.
- Restrict network access to your API server by placing it behind a firewall or VPN, ensuring it is not exposed to the open internet unless absolutely necessary.
- Implement robust monitoring and logging to detect unauthorized access attempts or anomalous requests to sensitive API endpoints like /api/v1/auth/me.
The severity of this flaw cannot be overstated, as it provides a direct path to full account takeover. Organizations must prioritize patching their infrastructure immediately to prevent unauthorized actors from harvesting user credentials and sensitive API keys. Promptly addressing hard-coded secrets is a vital step in maintaining the integrity of any self-hosted service.
Continue Reading
Grav CMS 2FA Bypass Vulnerability Disclosed in Login Plugin
A critical 2FA bypass vulnerability in Grav CMS allows attackers to reset TOTP secrets, effectively neutralizing multi-factor authentication protections.
Critical Hard-Coded Secret Flaw Found in clawvet API Server
A hard-coded JWT secret in clawvet API versions before 0.7.5 allows unauthenticated remote attackers to forge session cookies and steal sensitive user data.
CISA Flags Actively Exploited Fortinet FortiSandbox OS Injection Flaw
CISA has added a critical OS command injection vulnerability in FortiSandbox to its KEV catalog, mandating urgent remediation for federal agencies.