{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6635/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6635"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6635","authentication bypass","web application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-6635, has been discovered in rowboatlabs rowboat, specifically in versions up to and including 0.1.67. This vulnerability resides within the \u003ccode\u003etool_call\u003c/code\u003e function located in the \u003ccode\u003eapps/experimental/tools_webhook/app.py\u003c/code\u003e file of the \u003ccode\u003etools_webhook\u003c/code\u003e component.  The vulnerability stems from the improper handling of the \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument, which can be manipulated by a remote attacker to bypass authentication mechanisms. This flaw allows attackers to potentially gain unauthorized access and execute arbitrary actions within the application. Public exploits are available, increasing the urgency for mitigation. The vendor was notified but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of rowboatlabs rowboat version 0.1.67 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etool_call\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker manipulates the \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument with a crafted payload designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003etool_call\u003c/code\u003e function fails to properly validate the manipulated \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application grants the attacker unauthorized access based on the bypassed authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access to execute actions normally restricted to authenticated users.\u003c/li\u003e\n\u003cli\u003eDepending on the application\u0026rsquo;s functionality, this could involve data exfiltration, modification, or execution of arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6635 can lead to complete compromise of the rowboatlabs rowboat application. Attackers can gain unauthorized access to sensitive data, modify application settings, or even execute arbitrary code on the server. Due to the ease of exploitation with public exploits available, all instances of vulnerable rowboat versions are at immediate risk. The specific impact depends on the application\u0026rsquo;s role and the data it handles, but potential consequences include data breaches, service disruption, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation to \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument using \u003ccode\u003etool_call\u003c/code\u003e function within \u003ccode\u003eapps/experimental/tools_webhook/app.py\u003c/code\u003e to prevent improper authentication (CVE-2026-6635).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Rowboat Authentication Bypass Attempt via X-Tools-JWE Manipulation\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests targeting the \u003ccode\u003etool_call\u003c/code\u003e function with unusual \u003ccode\u003eX-Tools-JWE\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T12:16:09Z","date_published":"2026-04-20T12:16:09Z","id":"/briefs/2026-04-rowboat-auth-bypass/","summary":"An improper authentication vulnerability in rowboatlabs rowboat \u003c=0.1.67 allows remote attackers to bypass authentication by manipulating the X-Tools-JWE argument in the tool_call function, potentially leading to unauthorized access and control.","title":"Rowboatlabs Rowboat Improper Authentication Vulnerability (CVE-2026-6635)","url":"https://feed.craftedsignal.io/briefs/2026-04-rowboat-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6635","version":"https://jsonfeed.org/version/1.1"}