{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/clawvet-self-hosted-api-server-apps/api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-62241"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["clawvet self-hosted API server (apps/api)"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","CVE-2026-62241","JWT","API","hardcoded-secret"],"_cs_type":"advisory","_cs_vendors":["clawvet"],"content_html":"\u003cp\u003eCVE-2026-62241 details a critical security vulnerability affecting the clawvet self-hosted API server (apps/api) in versions prior to 0.7.5. The vulnerability stems from the application hard-coding a fallback JWT secret, 'clawvet-dev-secret-change-me', which is also provided as the default in its \u003ccode\u003e.env.example\u003c/code\u003e file. This design flaw enables a remote unauthenticated attacker to bypass authentication. Attackers can first access the unprotected \u003ccode\u003e/api/v1/scans\u003c/code\u003e endpoint to harvest valid user IDs. Subsequently, using any obtained user ID and the publicly known secret, the attacker can forge a valid HS256 \u003ccode\u003ecg_session\u003c/code\u003e cookie offline. This forged cookie allows them to impersonate a legitimate user and call the \u003ccode\u003e/api/v1/auth/me\u003c/code\u003e endpoint, thereby obtaining sensitive user details such as email addresses, subscription plans, and secret API keys. The issue has a CVSS v3.1 base score of 9.1 (Critical), highlighting the severe risk of data exfiltration and unauthorized account access. The published clawvet npm package (CLI only) is not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies a clawvet self-hosted API server instance running a vulnerable version (prior to 0.7.5).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to the \u003ccode\u003e/api/v1/scans\u003c/code\u003e endpoint to retrieve publicly exposed scan records and harvest valid \u003ccode\u003euserId\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the hard-coded fallback JWT secret, 'clawvet-dev-secret-change-me', either from public source code repositories or the default \u003ccode\u003e.env.example\u003c/code\u003e configuration file.\u003c/li\u003e\n\u003cli\u003eUsing a harvested \u003ccode\u003euserId\u003c/code\u003e and the known JWT secret, the attacker offline crafts and signs a valid HS256 \u003ccode\u003ecg_session\u003c/code\u003e JSON Web Token (JWT).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an authenticated GET request to the \u003ccode\u003e/api/v1/auth/me\u003c/code\u003e API endpoint, including the forged \u003ccode\u003ecg_session\u003c/code\u003e cookie in the request headers.\u003c/li\u003e\n\u003cli\u003eThe vulnerable server processes the forged token as legitimate, grants access to the \u003ccode\u003eauth/me\u003c/code\u003e endpoint, and discloses the victim's email address, subscription plan, and secret API key to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-62241 leads to critical data exposure and unauthorized access to user accounts within affected clawvet self-hosted API server deployments. Attackers can exfiltrate sensitive personal identifiable information (PII) such as email addresses, obtain details about victim's subscription plans, and most critically, acquire secret API keys. These API keys can then be used for further unauthorized actions, potentially granting full control over a victim's account, accessing or manipulating data associated with the account, or leveraging the API key to compromise integrated systems or services. The number of affected organizations and individuals depends on the prevalence of vulnerable self-hosted clawvet API server instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-62241 by updating \u003ccode\u003eclawvet self-hosted API server (apps/api)\u003c/code\u003e to version 0.7.5 or later immediately.\u003c/li\u003e\n\u003cli\u003eEnsure custom, strong secrets are used for \u003ccode\u003ecg_session\u003c/code\u003e JWTs, replacing the default \u003ccode\u003eclawvet-dev-secret-change-me\u003c/code\u003e secret within your deployment.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for repeated or unusual requests to the \u003ccode\u003e/api/v1/scans\u003c/code\u003e and \u003ccode\u003e/api/v1/auth/me\u003c/code\u003e API endpoints from single source IP addresses or unexpected geographic locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T02:20:26Z","date_published":"2026-07-17T02:20:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62241-clawvet-jwt-secret/","summary":"A critical vulnerability exists in the clawvet self-hosted API server (apps/api) before version 0.7.5 due to a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') shipped in the default .env.example, allowing an unauthenticated remote attacker to harvest user IDs, forge session cookies, and retrieve sensitive user information including email address, subscription plan, and API key via the /api/v1/auth/me endpoint.","title":"Clawvet API Server Hard-Coded JWT Secret Vulnerability (CVE-2026-62241)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62241-clawvet-jwt-secret/"}],"language":"en","title":"CraftedSignal Threat Feed - Clawvet Self-Hosted API Server (Apps/Api)","version":"https://jsonfeed.org/version/1.1"}