CVE-2026-33746
JWT Signature Bypass in Convoy KVM Panel Enables User Impersonation
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| convoypanel | convoy | to 4.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to forge or tamper with JWT tokens and authenticate as any user without valid credentials, compromising authentication integrity.
Such unauthorized access and impersonation can lead to unauthorized disclosure, modification, or disruption of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.
Therefore, the vulnerability poses a significant risk to compliance with these regulations by undermining the confidentiality, integrity, and availability of protected information.
Can you explain this vulnerability to me?
CVE-2026-33746 is a critical vulnerability in ConvoyPanel versions from 3.9.0-beta up to before 4.5.1. The issue is in the JWTService::decode() method, which fails to verify the cryptographic signature of JSON Web Tokens (JWTs). Although the method sets up a symmetric HMAC-SHA256 signer, it only validates time-based claims (expiration, not before, issued at) and omits verifying the token's signature.
Because of this, an attacker can forge or tamper with JWT payloads, such as changing the user_uuid claim, and the system will accept the token as valid if the time-based claims are correct. This flaw compromises the Single Sign-On (SSO) authentication flow, allowing attackers to authenticate as any user by crafting a token with an arbitrary user_uuid.
The vulnerability is classified under improper authentication and improper verification of cryptographic signatures, with a critical CVSS score of 9.8. It can be exploited remotely without privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authentication by forging JWT tokens, enabling them to log in as any user without valid credentials.
As a result, the attacker can gain unauthorized access to sensitive information, modify data, and potentially disrupt services, impacting confidentiality, integrity, and availability at a high level.
- Unauthorized access to user accounts
- Data tampering or theft
- Potential service disruption
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the JWTService::decode() method not verifying JWT token signatures, allowing forged tokens to be accepted if time-based claims are valid.
Detection would involve inspecting JWT tokens used in the ConvoyPanel authentication flow to check if tokens without valid cryptographic signatures are accepted.
Since the vulnerability is in the application logic, network detection might focus on monitoring JWT tokens in HTTP headers or requests to the SSO login endpoint for suspicious or forged tokens.
No specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade ConvoyPanel to version 4.5.1 or later, where the vulnerability has been patched by adding signature verification to the JWT validation process.
There are no effective workarounds; disabling the SSO login endpoint could reduce risk but is generally impractical.
Immediate updating is strongly advised to remediate this critical vulnerability.