Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0.
AnalysisAI
vantage6 servers auto-generate JWT secret keys using UUID1, a predictable algorithm that lacks cryptographic strength, allowing attackers to forge authentication tokens and gain unauthorized access to the privacy-preserving analysis platform. This affects all vantage6 versions prior to 4.11.0 where users have not manually defined a strong JWT secret. The vulnerability has a CVSS score of 7.5 with high confidentiality impact, as attackers can impersonate legitimate users without needing privileges or user interaction.
Technical ContextAI
The vulnerability stems from CWE-330 (Use of Insufficiently Random Values), a fundamental cryptographic weakness. vantage6 uses JWT (JSON Web Tokens) for authentication, but the default key generation relies on UUID1 (time-based, MAC-address-based UUIDs defined in RFC 4122) rather than cryptographically secure random generation. UUID1 is deterministic and predictable given knowledge of the timestamp and MAC address, making it unsuitable for cryptographic purposes like JWT signing. An attacker who can predict or brute-force the UUID1 value can generate valid JWTs, bypassing authentication entirely. The affected component is the vantage6 server's JWT initialization module, which generates keys at startup unless explicitly overridden via user configuration.
RemediationAI
Immediate actions: (1) Upgrade vantage6 to version 4.11.0 or later, which implements cryptographically secure random JWT key generation. (2) For systems unable to immediately upgrade, manually set the JWT_SECRET configuration parameter to a strong, cryptographically random value (minimum 256 bits of entropy, generated using tools like openssl rand -base64 32). (3) Rotate all existing JWT tokens and revoke any long-lived tokens issued prior to remediation. (4) Review server logs for suspicious authentication patterns or unauthorized token usage. (5) Consider implementing token expiration policies and rate limiting on token validation endpoints. Organizations should prioritize patching vantage6 instances handling sensitive research or healthcare data within 48-72 hours.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (C
## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi
Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .ker
Same weakness CWE-330 – Use of Insufficiently Random Values
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18201
GHSA-m3mq-f375-5vgh