CVE-2026-62241
Received Received - Intake

Hard-Coded JWT Secret in Clawvet Self-Hosted API Server

Vulnerability report for CVE-2026-62241, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated attacker can harvest a victim's userId, forge a valid HS256 cg_session cookie offline using the known secret, and call GET /api/v1/auth/me to obtain the victim's email address, subscription plan, and secret apiKey. The published clawvet npm package (CLI only) is not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
clawvet clawvet to 0.7.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62241 is a critical vulnerability in the Clawvet self-hosted API server (versions 0.7.1 and earlier) caused by a hard-coded JWT secret. The default secret 'clawvet-dev-secret-change-me' is embedded in auth.ts and included in .env.example. Attackers can exploit this by harvesting user IDs from an unauthenticated scan endpoint, forging a valid session cookie using the known secret, and accessing victim account details including secret API keys.

Detection Guidance

Check if your clawvet API server version is 0.7.1 or earlier by running: curl -s http://<your-server>/api/v1/version. If the version is vulnerable, unauthenticated requests to GET /api/v1/scans will return user IDs without requiring authentication.

Impact Analysis

Unauthenticated remote attackers can steal your email, subscription plan, and secret API key by exploiting this flaw. The attack requires no prior interaction and can be executed with just three HTTP requests. The vulnerability affects only the API server component, not the published npm package.

Compliance Impact

This vulnerability likely violates compliance requirements for data protection such as GDPR and HIPAA due to unauthorized access to sensitive user data including email addresses, subscription details, and secret API keys. Organizations using affected versions may face regulatory penalties for failing to protect personal and sensitive information.

Mitigation Strategies

Upgrade the clawvet API server to version 0.7.5 or later. Remove the hard-coded JWT secret from auth.ts and .env.example. Enforce a minimum length for the JWT secret and add authentication to the /api/v1/scans endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart