Vulnerability-Lookup

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

1 vulnerability by maziggy

CVE-2026-25505 (GCVE-0-2026-25505)

Vulnerability from cvelistv5 – Published: 2026-02-04 20:06 – Updated: 2026-02-06 18:41

Title

Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication

Summary

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-306 - Missing Authentication for Critical Function
CWE-321 - Use of Hard-coded Cryptographic Key

Assigner

GitHub_M

References

7 references

URL	Tags
https://github.com/maziggy/bambuddy/security/advi…	x_refsource_CONFIRM
https://github.com/maziggy/bambuddy/pull/225	x_refsource_MISC
https://github.com/maziggy/bambuddy/commit/a82f92…	x_refsource_MISC
https://github.com/maziggy/bambuddy/commit/c31f29…	x_refsource_MISC
https://github.com/maziggy/bambuddy/blob/a9bb8ed8…	x_refsource_MISC
https://github.com/maziggy/bambuddy/blob/main/CHA…	x_refsource_MISC
https://github.com/maziggy/bambuddy/releases/tag/v0.1.7	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
maziggy	bambuddy	Affected: < 0.1.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25505",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T20:35:19.621359Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T20:35:30.607Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bambuddy",
          "vendor": "maziggy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "CWE-321: Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T18:41:07.205Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/pull/225",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/pull/225"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7"
        }
      ],
      "source": {
        "advisory": "GHSA-gc24-px2r-5qmf",
        "discovery": "UNKNOWN"
      },
      "title": "Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25505",
    "datePublished": "2026-02-04T20:06:30.538Z",
    "dateReserved": "2026-02-02T18:21:42.486Z",
    "dateUpdated": "2026-02-06T18:41:07.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}