CVE-2026-62241
MohibShaikh · clawvet
The clawvet self-hosted API server uses a hard-coded JWT secret, allowing unauthenticated attackers to forge session cookies and access sensitive user information.
Executive summary
A critical authentication bypass in the clawvet self-hosted API server enables unauthenticated remote attackers to forge session tokens and steal sensitive user account data.
Vulnerability
The application incorrectly hard-codes a default JWT secret in the source code and provides it in example configuration files. Because the API also fails to require authentication for certain endpoints, an unauthenticated attacker can harvest user IDs and sign their own session cookies to impersonate victims and extract sensitive account details.
Business impact
This vulnerability presents a catastrophic risk to data privacy, as it permits attackers to access email addresses, subscription plans, and API keys of registered users. The ability to forge sessions bypasses all existing authentication mechanisms, effectively granting attackers full control over victim accounts. The 9.1 CVSS score underscores the high impact on data confidentiality and integrity.
Remediation
Immediate Action: Update the clawvet self-hosted API server to version 0.7.5 or later, and ensure that a strong, unique JWT secret is generated and configured in the production environment.
Proactive Monitoring: Monitor API logs for anomalous requests to /api/v1/auth/me or unexpected session cookie patterns that deviate from standard user behavior.
Compensating Controls: Deploy a Web Application Firewall (WAF) to block unauthorized access attempts to sensitive API endpoints and detect common JWT manipulation patterns.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The presence of a hard-coded cryptographic secret represents a fundamental security failure that must be addressed immediately. Administrators should rotate all potentially compromised API keys and credentials immediately after updating the software to version 0.7.5 to ensure the security of their user base.