Cve-2026-6635 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-6635/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 20 Apr 2026 12:16:09 +0000Rowboatlabs Rowboat Improper Authentication Vulnerability (CVE-2026-6635)https://feed.craftedsignal.io/briefs/2026-04-rowboat-auth-bypass/Mon, 20 Apr 2026 12:16:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-rowboat-auth-bypass/An improper authentication vulnerability in rowboatlabs rowboat <=0.1.67 allows remote attackers to bypass authentication by manipulating the X-Tools-JWE argument in the tool_call function, potentially leading to unauthorized access and control.A critical security flaw, identified as CVE-2026-6635, has been discovered in rowboatlabs rowboat, specifically in versions up to and including 0.1.67. This vulnerability resides within the tool_call function located in the apps/experimental/tools_webhook/app.py file of the tools_webhook component. The vulnerability stems from the improper handling of the X-Tools-JWE argument, which can be manipulated by a remote attacker to bypass authentication mechanisms. This flaw allows attackers to potentially gain unauthorized access and execute arbitrary actions within the application. Public exploits are available, increasing the urgency for mitigation. The vendor was notified but has not responded.

Attack Chain

  1. Attacker identifies a vulnerable instance of rowboatlabs rowboat version 0.1.67 or earlier.
  2. The attacker crafts a malicious HTTP request targeting the tool_call function.
  3. Within the HTTP request, the attacker manipulates the X-Tools-JWE argument with a crafted payload designed to bypass authentication checks.
  4. The vulnerable tool_call function fails to properly validate the manipulated X-Tools-JWE argument.
  5. The application grants the attacker unauthorized access based on the bypassed authentication.
  6. The attacker leverages the unauthorized access to execute actions normally restricted to authenticated users.
  7. Depending on the application’s functionality, this could involve data exfiltration, modification, or execution of arbitrary code.

Impact

Successful exploitation of CVE-2026-6635 can lead to complete compromise of the rowboatlabs rowboat application. Attackers can gain unauthorized access to sensitive data, modify application settings, or even execute arbitrary code on the server. Due to the ease of exploitation with public exploits available, all instances of vulnerable rowboat versions are at immediate risk. The specific impact depends on the application’s role and the data it handles, but potential consequences include data breaches, service disruption, and financial loss.

Recommendation

  • Apply appropriate input validation to X-Tools-JWE argument using tool_call function within apps/experimental/tools_webhook/app.py to prevent improper authentication (CVE-2026-6635).
  • Deploy the Sigma rule Detect Rowboat Authentication Bypass Attempt via X-Tools-JWE Manipulation to detect exploitation attempts.
  • Monitor web server logs for HTTP requests targeting the tool_call function with unusual X-Tools-JWE values.
]]>highadvisorycve-2026-6635authentication bypassweb application