CVE-2024-46508
Awaiting Analysis Awaiting Analysis - Queue
Authentication Bypass in Yeti-Platform via Default JWT Secret

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: MITRE

Description
yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2024-46508
EUVD
EUVD-2024-55571
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeti-platform yeti From 2.0 (inc) to 2.1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in yeti-platform allows attackers to generate valid JWT tokens if the default secret is not changed, potentially enabling unauthorized access.

Such unauthorized access could lead to exposure or misuse of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Executive Summary

The vulnerability in yeti-platform versions before 2.1.12 allows attackers to generate valid JWT tokens if the secret key is not changed from its default value (SECRET). This means that if the YETI_AUTH_SECRET_KEY is not set to a unique value, attackers can create tokens that the system will accept as legitimate.

Impact Analysis

This vulnerability can allow attackers to impersonate legitimate users or gain unauthorized access by generating valid JWT tokens. This could lead to unauthorized actions within the system, data exposure, or other security breaches depending on the privileges associated with the forged tokens.

Mitigation Strategies

To mitigate this vulnerability, immediately change the default secret by setting the YETI_AUTH_SECRET_KEY environment variable to a value other than the default 'SECRET'. This prevents attackers from generating valid JWT tokens.

Detection Guidance

This vulnerability in yeti-platform before version 2.1.12 occurs if the default JWT secret key (YETI_AUTH_SECRET_KEY) is not changed from the default value 'SECRET'. Detection involves checking the configuration of the YETI_AUTH_SECRET_KEY environment variable or configuration file to see if it remains set to the insecure default.

To detect this on your system, you can inspect the environment variables or configuration files where YETI_AUTH_SECRET_KEY is set. For example, on a Linux system, you might run commands like:

  • Check environment variables: `printenv | grep YETI_AUTH_SECRET_KEY`
  • Check running processes for environment variables: `ps eww -C yeti`
  • Search configuration files for the secret key: `grep -r YETI_AUTH_SECRET_KEY /path/to/yeti/config/`

If the value is 'SECRET' or empty, the system is vulnerable. Changing this secret to a strong, unique value mitigates the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-46508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart