CVE-2026-42869
JWT Secret Hardcoding in SOCFortress CoPilot
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| socfortress | copilot | to 0.1.57 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to forge admin-scoped JWTs and gain full control over the SOCFortress CoPilot application and all integrated security tools. Such unauthorized access can lead to the compromise of sensitive data, alteration or suppression of detection rules and alerts, and manipulation of endpoints.
Given the severity and scope of the breach, organizations using affected versions could face violations of common security and privacy standards such as GDPR and HIPAA. These regulations require protection of sensitive data and maintaining the integrity and availability of security systems. The ability for attackers to access and manipulate security tools without credentials undermines these requirements, potentially leading to non-compliance, data breaches, and regulatory penalties.
Can you explain this vulnerability to me?
CVE-2026-42869 is a critical vulnerability in the SOCFortress CoPilot platform versions prior to 0.1.57. The issue arises because the application ships with a hardcoded JWT signing secret as a fallback value, which is publicly known and included verbatim in the example environment file. If the JWT_SECRET environment variable is not explicitly set during deployment, including the default Docker Compose setup, all authentication tokens are signed with this known secret.
This allows an unauthenticated attacker to forge arbitrary admin-scoped JWT tokens without any credentials, thereby gaining full control over the application and all integrated security tools it manages. The attacker can plant backdoor accounts, harvest plaintext connector credentials, and modify security tool configurations to conceal their intrusion.
The vulnerability is fixed in version 0.1.57 by removing the hardcoded fallback, enforcing that JWT_SECRET must be explicitly set and not equal to the compromised default, and by auto-generating unique secrets per deployment.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an unauthenticated attacker to gain full administrative access to the SOCFortress CoPilot application and every security tool it manages, such as Wazuh, Graylog, DFIR-IRIS, Cortex, and Velociraptor.
- Attackers can forge admin JWT tokens without credentials.
- They can plant backdoor accounts to maintain persistent access.
- They can harvest plaintext connector credentials, compromising integrations.
- They can modify detection rules, suppress alerts, and manipulate endpoints to conceal their activities.
Because the attacker controls the security tools used by SOC analysts, the breach is self-concealing and extremely difficult to detect or remediate without a full secret rotation and upgrade.
The CVSS score of 10.0 reflects the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of a hardcoded JWT signing secret that allows forging of admin-scoped tokens. Detection involves checking if the deployed SOCFortress CoPilot instance is using the default or compromised JWT secret.
You can detect this vulnerability by verifying the JWT_SECRET environment variable or configuration setting. If it is unset or set to the known compromised default value "bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=", the system is vulnerable.
Suggested commands to check the JWT_SECRET value in a Docker Compose environment or on the host system include:
- Inspect environment variables in running containers: docker exec -it <container_name> printenv JWT_SECRET
- Check the .env file or configuration files for the JWT_SECRET value, e.g., cat .env | grep JWT_SECRET
- Search for the default secret string in the code or configuration: grep -r 'bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=' .
Additionally, monitoring for forged admin JWT tokens or unusual admin activity without authentication could indicate exploitation, but this is complicated by the attacker's ability to conceal their actions by manipulating detection tools.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should:
- Ensure that the JWT_SECRET environment variable is explicitly set to a strong, unique secret and is not left unset or set to the compromised default.
- Generate a new JWT_SECRET using a secure method, for example: openssl rand -base64 32
- Update your deployment configuration (e.g., Docker Compose files, .env files) to use the new JWT_SECRET.
- Upgrade SOCFortress CoPilot to version 0.1.57 or later, which removes the hardcoded fallback and enforces validation of the JWT_SECRET.
- If you use TOTP (2FA), ensure the TOTP_ENCRYPTION_KEY is set before rotating the JWT_SECRET to avoid breaking existing 2FA enrollments.
- Rotate the JWT_SECRET before upgrading, as existing forged tokens remain valid until expiration.
These steps will invalidate all active JWT sessions, requiring users to re-authenticate, and will prevent attackers from forging admin tokens using the compromised secret.