Skip to main content

Huly Platform CVE-2026-5622

| EUVDEUVD-2026-19172 LOW
Use of Hard-coded Cryptographic Key (CWE-321)
2026-04-06 VulDB GHSA-x32v-jmqh-4323
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.3 (MEDIUM) 2.9 (LOW)
EUVD ID Assigned
Apr 06, 2026 - 04:45 euvd
EUVD-2026-19172
Analysis Generated
Apr 06, 2026 - 04:45 vuln.today
CVE Published
Apr 06, 2026 - 04:30 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

JWT token handling in hcengineering Huly Platform 0.7.382 uses hard-coded cryptographic keys in the token.ts component, allowing remote attackers to forge or manipulate authentication tokens with high attack complexity. The vulnerability affects confidentiality and integrity of token-based authentication but requires significant technical effort to exploit, reflected in a low CVSS score (3.7) and high attack complexity rating. No active exploitation has been confirmed, and the vendor has not responded to disclosure attempts.

Technical ContextAI

The vulnerability resides in the JWT Token Handler functionality within hcengineering Huly Platform's foundations/core/packages/token/src/token.ts file. The root cause is classified under CWE-321 (Use of Hard-Coded Cryptographic Key), a critical weakness where security-sensitive cryptographic operations depend on static, embedded keys rather than dynamically managed secrets. The SERVER_SECRET parameter accepts user-supplied input that leads to reuse of hard-coded cryptographic material, compromising the security model of JSON Web Token generation and validation. This affects the entire Huly Platform product line across all versions in the CPE range, as the vulnerability exists in core JWT token handling infrastructure.

RemediationAI

Immediate remediation requires removal of hard-coded cryptographic keys from the JWT Token Handler and implementation of secure secret management for the SERVER_SECRET parameter. Users should upgrade to a patched version of Huly Platform once released by hcengineering; however, no vendor-released patch version has been independently confirmed at time of analysis. As an interim workaround, restrict network access to the JWT token endpoint and implement additional authentication layers (e.g., API gateway token validation) to limit token forging risk. Ensure that the SERVER_SECRET parameter is sourced from secure configuration management (environment variables, vault systems) rather than hard-coded values. Monitor hcengineering's official repository (https://vuldb.com/submit/785631) and security advisories for patch announcements, and consider contacting the vendor directly for remediation timeline if this affects production systems.

Share

CVE-2026-5622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy