Advertisement
Security

Clawvet API Server Vulnerability Exposes User Data via Hard-Coded Secret

A critical vulnerability in clawvet API versions before 0.7.5 allows unauthenticated attackers to forge session cookies and access sensitive user information.

··1 hour ago·1 min read
black iphone 5 beside brown framed eyeglasses and black iphone 5 c
Photo by Dan Nelson on Unsplash
Advertisement

Security researchers have identified a critical vulnerability, tracked as CVE-2026-62241, affecting the clawvet self-hosted API server. The issue stems from a hard-coded fallback JWT secret, 'clawvet-dev-secret-change-me', located in auth.ts and provided as a default in the .env.example file.

An unauthenticated remote attacker can exploit this flaw by harvesting user IDs via the GET /api/v1/scans endpoint. Using the known secret, an attacker can forge HS256-based session cookies to impersonate users, granting them unauthorized access to private data, including email addresses, subscription plans, and secret API keys via the GET /api/v1/auth/me endpoint. The vulnerability carries a CVSS score of 9.1.

Users running clawvet API server versions prior to 0.7.5 are advised to update their software immediately to mitigate this risk. The clawvet npm package, which is limited to CLI functionality, is not affected by this vulnerability.

#cve-2026-62241#clawvet#vulnerability#authentication#api

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement