Vendor
A critical vulnerability exists in the clawvet self-hosted API server (apps/api) before version 0.7.5 due to a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') shipped in the default .env.example, allowing an unauthenticated remote attacker to harvest user IDs, forge session cookies, and retrieve sensitive user information including email address, subscription plan, and API key via the /api/v1/auth/me endpoint.