Clawvet API Server Vulnerability Exposes User Data via Hard-Coded Secret
A critical vulnerability in clawvet API versions before 0.7.5 allows unauthenticated attackers to forge session cookies and access sensitive user information.
Security researchers have identified a critical vulnerability, tracked as CVE-2026-62241, affecting the clawvet self-hosted API server. The issue stems from a hard-coded fallback JWT secret, 'clawvet-dev-secret-change-me', located in auth.ts and provided as a default in the .env.example file.
An unauthenticated remote attacker can exploit this flaw by harvesting user IDs via the GET /api/v1/scans endpoint. Using the known secret, an attacker can forge HS256-based session cookies to impersonate users, granting them unauthorized access to private data, including email addresses, subscription plans, and secret API keys via the GET /api/v1/auth/me endpoint. The vulnerability carries a CVSS score of 9.1.
Users running clawvet API server versions prior to 0.7.5 are advised to update their software immediately to mitigate this risk. The clawvet npm package, which is limited to CLI functionality, is not affected by this vulnerability.
Continue Reading
Critical Privilege Escalation Flaw Found in Bricksforge WordPress Plugin
A critical vulnerability in the Bricksforge WordPress plugin allows unauthenticated attackers to create unauthorized administrator accounts.
Grav Login Plugin Vulnerability Allows Two-Factor Authentication Bypass
A critical flaw in Grav versions before 2.0.4 permits attackers to bypass two-factor authentication by overwriting existing security secrets.
Formalizing the Vulnerability Lifecycle
International agencies are pushing software vendors to adopt standardized vulnerability disclosure frameworks for better security.