Skip to main content

CWE-321

Use of Hard-coded Cryptographic Key

232 CVEs Avg CVSS 7.3 MITRE
66
CRITICAL
79
HIGH
62
MEDIUM
24
LOW
46
POC
2
KEV

Monthly

CVE-2026-9770 HIGH PATCH This Week

Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.

Information Disclosure Kasa Ec71 V4 Kasa Ec70 V4
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-56271 npm CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-57172 HIGH PATCH This Week

Authentication bypass in DataEase before 2.10.24 lets remote attackers forge valid share-link JWTs because ShareSecretManage ships with a hardcoded signature key (link-pwd-fit2cloud). An attacker who has obtained any passwordless share can mint linkToken JWTs that pass TokenFilter verification and access backend resources as the original share creator, even after that share has been revoked. There is no public exploit identified at time of analysis, but the hardcoded key is disclosed in the advisory, making forgery trivial once the signing algorithm is known.

Authentication Bypass Dataease
NVD GitHub
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-54833 HIGH This Week

Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.

Information Disclosure
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-9220 HIGH This Week

Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Google
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-39031 MEDIUM This Month

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-35019 CRITICAL PATCH Act Now

Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. Exploitation requires an active administrator session and network reachability to the management interface; no KEV listing or confirmed public exploit exists at time of analysis, though the hardcoded-key nature makes the attack highly automatable once the key is disclosed.

Authentication Bypass Nf20Mesh
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-9260 MEDIUM This Month

Hard-coded cryptographic keys embedded in Canon EOS Network Setting Tool version 1.5.0 and earlier expose static decryption material to any local system user, enabling unauthorized decryption of protected network traffic or configuration data exchanged between the tool and Canon EOS cameras. The flaw is CWE-321 (Use of Hard-coded Cryptographic Key) and is classified as an information disclosure vulnerability with high confidentiality impact, bounded by the requirement for local system access. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Eos Network Setting Tool
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-34029 MEDIUM This Month

Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables local attackers to decrypt sensitive licensing and configuration data for vault room and safe deposit locker systems. The static key, embedded in SafeSystem.Infrastructure.Security.dll, can be recovered through standard reverse engineering, then used to decrypt the licence.whs file - which itself contains a second key granting access to additional configuration files. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is known at time of analysis; however, the attack requires only low-privilege local file access and straightforward tooling, making it realistic for any insider or attacker who achieves filesystem access.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-34022 HIGH This Week

Cryptographic key disclosure in Wertheim SafeController Family 65000 (AssemblyVersion 6.11.8130.22319), a microcontroller-based safe deposit locker system, allows adjacent attackers to decrypt protected communications. The device uses a weak custom (proprietary) cryptographic algorithm with hard-coded keys, and researchers at SEC-VLab demonstrated both breaking the encryption routine and recovering the key by intercepting sufficient traffic. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Wertheim Safecontroller Family 65000 Hardware For Vault Rooms Safe Deposit Locker System Microcontroller
NVD
CVSS 4.0
7.1
EPSS
0.1%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.

Information Disclosure Kasa Ec71 V4 Kasa Ec70 V4
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Flowise
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Authentication bypass in DataEase before 2.10.24 lets remote attackers forge valid share-link JWTs because ShareSecretManage ships with a hardcoded signature key (link-pwd-fit2cloud). An attacker who has obtained any passwordless share can mint linkToken JWTs that pass TokenFilter verification and access backend resources as the original share creator, even after that share has been revoked. There is no public exploit identified at time of analysis, but the hardcoded key is disclosed in the advisory, making forgery trivial once the signing algorithm is known.

Authentication Bypass Dataease
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.

Information Disclosure
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Google
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.

Information Disclosure N A
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. Exploitation requires an active administrator session and network reachability to the management interface; no KEV listing or confirmed public exploit exists at time of analysis, though the hardcoded-key nature makes the attack highly automatable once the key is disclosed.

Authentication Bypass Nf20Mesh
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Hard-coded cryptographic keys embedded in Canon EOS Network Setting Tool version 1.5.0 and earlier expose static decryption material to any local system user, enabling unauthorized decryption of protected network traffic or configuration data exchanged between the tool and Canon EOS cameras. The flaw is CWE-321 (Use of Hard-coded Cryptographic Key) and is classified as an information disclosure vulnerability with high confidentiality impact, bounded by the requirement for local system access. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Eos Network Setting Tool
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables local attackers to decrypt sensitive licensing and configuration data for vault room and safe deposit locker systems. The static key, embedded in SafeSystem.Infrastructure.Security.dll, can be recovered through standard reverse engineering, then used to decrypt the licence.whs file - which itself contains a second key granting access to additional configuration files. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is known at time of analysis; however, the attack requires only low-privilege local file access and straightforward tooling, making it realistic for any insider or attacker who achieves filesystem access.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cryptographic key disclosure in Wertheim SafeController Family 65000 (AssemblyVersion 6.11.8130.22319), a microcontroller-based safe deposit locker system, allows adjacent attackers to decrypt protected communications. The device uses a weak custom (proprietary) cryptographic algorithm with hard-coded keys, and researchers at SEC-VLab demonstrated both breaking the encryption routine and recovering the key by intercepting sufficient traffic. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Wertheim Safecontroller Family 65000 Hardware For Vault Rooms Safe Deposit Locker System Microcontroller
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy