Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET is not explicitly set - including the default Docker Compose setup - signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57.
AnalysisAI
Authentication bypass in SOCFortress CoPilot versions prior to 0.1.57 allows remote unauthenticated attackers to forge admin-scoped JWT tokens and gain full control of the security operations platform. The application ships with a publicly known JWT signing secret hardcoded as a fallback value (bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=) in backend/app/auth/utils.py and .env.example. Any deployment using the default Docker Compose setup or where JWT_SECRET is not explicitly set signs all authentication tokens with this known value, enabling attackers to impersonate administrators and control every integrated security tool without credentials. CVSS 10.0 with network vector and no authentication required. Fix confirmed in version 0.1.57 via GitHub commit 4640511a0cf2e7b144a71375b5b349a8318cb186.
Technical ContextAI
JSON Web Tokens (JWT) rely on cryptographic signatures to verify authenticity and prevent tampering. The signing secret must remain confidential and unique per deployment. SOCFortress CoPilot's AuthHandler class in backend/app/auth/utils.py contained a hardcoded fallback for JWT_SECRET, identical to the default in .env.example, used when the environment variable was unset. This violates secure coding practices for secret management and maps to CWE-287 (Improper Authentication). The Docker Compose default deployment did not prompt users to change this value, leaving production systems vulnerable. The secret was used to sign JWTs for all user sessions, including admin-level authentication tokens. An attacker with knowledge of the public secret can use standard JWT libraries (PyJWT, jsonwebtoken) to forge tokens with arbitrary user IDs and admin scopes, bypassing all authentication controls. The vulnerability also affected TOTP secret encryption in backend/app/auth/services/totp.py, which derived a Fernet key from the same JWT_SECRET, potentially exposing multi-factor authentication secrets. The fix removes the hardcoded fallback and forces the application to terminate at startup if JWT_SECRET is missing or set to the known-compromised value, preventing unsafe deployments.
RemediationAI
Upgrade immediately to SOCFortress CoPilot version 0.1.57 or later, confirmed fixed in commit 4640511a0cf2e7b144a71375b5b349a8318cb186 via pull request 814 (https://github.com/socfortress/CoPilot/pull/814). The patched version refuses to start if JWT_SECRET is unset or contains the compromised default value, forcing secure configuration. After upgrading, operators must generate a unique JWT secret using openssl rand -base64 32 and set it in the JWT_SECRET environment variable before restarting. Critical: All existing JWT tokens and user sessions signed with the old secret must be invalidated immediately, as attackers may have pre-generated forged admin tokens. Review authentication logs for suspicious admin access patterns and audit all configuration changes made to integrated security tools, as attackers with forged admin JWTs could modify SIEM rules, disable monitoring, or exfiltrate security event data. If upgrade is not immediately possible, the only effective mitigation is to take the CoPilot instance offline, as network isolation or authentication proxies cannot prevent JWT forgery. Do not rely on WAF or IP restrictions - the vulnerability is in token validation logic, not network access. Partial mitigation by manually setting a unique JWT_SECRET in pre-0.1.57 versions stops new exploitation but does not invalidate previously forged tokens or address TOTP encryption using the old key, requiring immediate upgrade plus full user credential rotation.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29184