Skip to main content

SOCFortress CoPilot CVE-2026-42869

| EUVDEUVD-2026-29184 CRITICAL
Improper Authentication (CWE-287)
2026-05-11 GitHub_M
10.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 11, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 19:46 vuln.today
Analysis Generated
May 11, 2026 - 19:46 vuln.today
CVE Published
May 11, 2026 - 18:39 nvd
CRITICAL 10.0

DescriptionGitHub Advisory

SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET is not explicitly set - including the default Docker Compose setup - signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57.

AnalysisAI

Authentication bypass in SOCFortress CoPilot versions prior to 0.1.57 allows remote unauthenticated attackers to forge admin-scoped JWT tokens and gain full control of the security operations platform. The application ships with a publicly known JWT signing secret hardcoded as a fallback value (bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=) in backend/app/auth/utils.py and .env.example. Any deployment using the default Docker Compose setup or where JWT_SECRET is not explicitly set signs all authentication tokens with this known value, enabling attackers to impersonate administrators and control every integrated security tool without credentials. CVSS 10.0 with network vector and no authentication required. Fix confirmed in version 0.1.57 via GitHub commit 4640511a0cf2e7b144a71375b5b349a8318cb186.

Technical ContextAI

JSON Web Tokens (JWT) rely on cryptographic signatures to verify authenticity and prevent tampering. The signing secret must remain confidential and unique per deployment. SOCFortress CoPilot's AuthHandler class in backend/app/auth/utils.py contained a hardcoded fallback for JWT_SECRET, identical to the default in .env.example, used when the environment variable was unset. This violates secure coding practices for secret management and maps to CWE-287 (Improper Authentication). The Docker Compose default deployment did not prompt users to change this value, leaving production systems vulnerable. The secret was used to sign JWTs for all user sessions, including admin-level authentication tokens. An attacker with knowledge of the public secret can use standard JWT libraries (PyJWT, jsonwebtoken) to forge tokens with arbitrary user IDs and admin scopes, bypassing all authentication controls. The vulnerability also affected TOTP secret encryption in backend/app/auth/services/totp.py, which derived a Fernet key from the same JWT_SECRET, potentially exposing multi-factor authentication secrets. The fix removes the hardcoded fallback and forces the application to terminate at startup if JWT_SECRET is missing or set to the known-compromised value, preventing unsafe deployments.

RemediationAI

Upgrade immediately to SOCFortress CoPilot version 0.1.57 or later, confirmed fixed in commit 4640511a0cf2e7b144a71375b5b349a8318cb186 via pull request 814 (https://github.com/socfortress/CoPilot/pull/814). The patched version refuses to start if JWT_SECRET is unset or contains the compromised default value, forcing secure configuration. After upgrading, operators must generate a unique JWT secret using openssl rand -base64 32 and set it in the JWT_SECRET environment variable before restarting. Critical: All existing JWT tokens and user sessions signed with the old secret must be invalidated immediately, as attackers may have pre-generated forged admin tokens. Review authentication logs for suspicious admin access patterns and audit all configuration changes made to integrated security tools, as attackers with forged admin JWTs could modify SIEM rules, disable monitoring, or exfiltrate security event data. If upgrade is not immediately possible, the only effective mitigation is to take the CoPilot instance offline, as network isolation or authentication proxies cannot prevent JWT forgery. Do not rely on WAF or IP restrictions - the vulnerability is in token validation logic, not network access. Partial mitigation by manually setting a unique JWT_SECRET in pre-0.1.57 versions stops new exploitation but does not invalidate previously forged tokens or address TOTP encryption using the old key, requiring immediate upgrade plus full user credential rotation.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-42869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy