Clawvet API Server Hard-Coded JWT Secret Vulnerability (CVE-2026-62241)
A critical vulnerability exists in the clawvet self-hosted API server (apps/api) before version 0.7.5 due to a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') shipped in the default .env.example, allowing an unauthenticated remote attacker to harvest user IDs, forge session cookies, and retrieve sensitive user information including email address, subscription plan, and API key via the /api/v1/auth/me endpoint.
CVE-2026-62241 details a critical security vulnerability affecting the clawvet self-hosted API server (apps/api) in versions prior to 0.7.5. The vulnerability stems from the application hard-coding a fallback JWT secret, 'clawvet-dev-secret-change-me', which is also provided as the default in its .env.example file. This design flaw enables a remote unauthenticated attacker to bypass authentication. Attackers can first access the unprotected /api/v1/scans endpoint to harvest valid user IDs. Subsequently, using any obtained user ID and the publicly known secret, the attacker can forge a valid HS256 cg_session cookie offline. This forged cookie allows them to impersonate a legitimate user and call the /api/v1/auth/me endpoint, thereby obtaining sensitive user details such as email addresses, subscription plans, and secret API keys. The issue has a CVSS v3.1 base score of 9.1 (Critical), highlighting the severe risk of data exfiltration and unauthorized account access. The published clawvet npm package (CLI only) is not affected.
Attack Chain
- An unauthenticated remote attacker identifies a clawvet self-hosted API server instance running a vulnerable version (prior to 0.7.5).
- The attacker sends an unauthenticated GET request to the
/api/v1/scansendpoint to retrieve publicly exposed scan records and harvest validuserIdvalues. - The attacker identifies the hard-coded fallback JWT secret, 'clawvet-dev-secret-change-me', either from public source code repositories or the default
.env.exampleconfiguration file. - Using a harvested
userIdand the known JWT secret, the attacker offline crafts and signs a valid HS256cg_sessionJSON Web Token (JWT). - The attacker sends an authenticated GET request to the
/api/v1/auth/meAPI endpoint, including the forgedcg_sessioncookie in the request headers. - The vulnerable server processes the forged token as legitimate, grants access to the
auth/meendpoint, and discloses the victim's email address, subscription plan, and secret API key to the attacker.
Impact
Successful exploitation of CVE-2026-62241 leads to critical data exposure and unauthorized access to user accounts within affected clawvet self-hosted API server deployments. Attackers can exfiltrate sensitive personal identifiable information (PII) such as email addresses, obtain details about victim's subscription plans, and most critically, acquire secret API keys. These API keys can then be used for further unauthorized actions, potentially granting full control over a victim's account, accessing or manipulating data associated with the account, or leveraging the API key to compromise integrated systems or services. The number of affected organizations and individuals depends on the prevalence of vulnerable self-hosted clawvet API server instances.
Recommendation
- Patch CVE-2026-62241 by updating
clawvet self-hosted API server (apps/api)to version 0.7.5 or later immediately. - Ensure custom, strong secrets are used for
cg_sessionJWTs, replacing the defaultclawvet-dev-secret-change-mesecret within your deployment. - Monitor web server access logs for repeated or unusual requests to the
/api/v1/scansand/api/v1/auth/meAPI endpoints from single source IP addresses or unexpected geographic locations.
Indicators of compromise
1
other
| Type | Value |
|---|---|
| other | clawvet-dev-secret-change-me |