Skip to main content

Rowboat CVE-2026-6635

| EUVDEUVD-2026-23840 MEDIUM
Improper Authentication (CWE-287)
2026-04-20 VulDB GHSA-6c34-3mhj-jwxw
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 20, 2026 - 12:22 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 12:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 12:15 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 12:00 euvd
EUVD-2026-23840
Analysis Generated
Apr 20, 2026 - 12:00 vuln.today
CVE Published
Apr 20, 2026 - 11:45 nvd
MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authentication in rowboatlabs rowboat (versions up to 0.1.67) allows remote unauthenticated attackers to bypass authentication by manipulating the X-Tools-JWE header in the tools_webhook component. The vulnerability enables unauthorized access with low confidentiality, integrity, and availability impact. A public exploit exists (CVSS E:P). The vendor did not respond to early disclosure attempts. EPSS data unavailable; not listed in CISA KEV, suggesting limited widespread exploitation despite public POC.

Technical ContextAI

The vulnerability resides in the tool_call function within apps/experimental/tools_webhook/app.py of the rowboat application's tools_webhook component. CWE-287 (Improper Authentication) indicates the application fails to correctly validate authentication tokens or credentials. The attack vector involves manipulating the X-Tools-JWE (JSON Web Encryption) header parameter, suggesting the application either improperly validates JWE tokens, accepts malformed tokens, or has a logic flaw in token verification that allows bypass. The affected product is rowboatlabs rowboat (cpe:2.3:a:rowboatlabs:rowboat), an experimental tools webhook application, with all versions through 0.1.67 vulnerable. The experimental nature of the tools_webhook component (indicated by the apps/experimental path) suggests this may be a development or beta feature that received inadequate security review.

RemediationAI

No vendor-released patch identified at time of analysis-the vendor did not respond to early disclosure. Organizations should immediately disable or remove the experimental tools_webhook component if not business-critical, as this eliminates the attack surface entirely. If tools_webhook functionality is required, implement strict network segmentation to restrict access to the /tools_webhook endpoint to trusted IP ranges only using firewall rules or reverse proxy ACLs (trade-off: limits legitimate remote access). Deploy a web application firewall (WAF) with custom rules to validate X-Tools-JWE header format and reject malformed or suspicious JWE tokens (trade-off: requires JWE schema knowledge and may cause false positives). Implement additional authentication layer at reverse proxy level (e.g., mutual TLS, IP allowlisting, or separate API key validation) before requests reach the vulnerable application (trade-off: adds infrastructure complexity). Monitor logs for unusual tool_call invocations or X-Tools-JWE header manipulation attempts. Consult the public exploit at https://github.com/Dave-gilmore-aus/security-advisories/blob/main/rowbat-advisory to understand specific attack patterns for detection signatures. Consider migrating to alternative webhook solutions if vendor remains unresponsive.

Share

CVE-2026-6635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy