CVE-2026-5622
Hard-Coded Cryptographic Key in Huly JWT Token Handler
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcengineering | huly_platform | 0.7.382 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the hcengineering Huly Platform version 0.7.382, specifically in the JWT Token Handler component within the file foundations/core/packages/token/src/token.ts. It involves manipulation of the SERVER_SECRET argument by providing a hard-coded cryptographic key as input. This flaw allows an attacker to exploit the system remotely, although the attack is considered to have high complexity and is difficult to execute.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized manipulation of the JWT Token Handler due to the use of a hard-coded cryptographic key. This could potentially allow an attacker to interfere with token validation or authentication processes, impacting the integrity of the system. However, the attack complexity is high and exploitation is difficult, which may limit the likelihood of successful attacks.