Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
JWT token handling in hcengineering Huly Platform 0.7.382 uses hard-coded cryptographic keys in the token.ts component, allowing remote attackers to forge or manipulate authentication tokens with high attack complexity. The vulnerability affects confidentiality and integrity of token-based authentication but requires significant technical effort to exploit, reflected in a low CVSS score (3.7) and high attack complexity rating. No active exploitation has been confirmed, and the vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability resides in the JWT Token Handler functionality within hcengineering Huly Platform's foundations/core/packages/token/src/token.ts file. The root cause is classified under CWE-321 (Use of Hard-Coded Cryptographic Key), a critical weakness where security-sensitive cryptographic operations depend on static, embedded keys rather than dynamically managed secrets. The SERVER_SECRET parameter accepts user-supplied input that leads to reuse of hard-coded cryptographic material, compromising the security model of JSON Web Token generation and validation. This affects the entire Huly Platform product line across all versions in the CPE range, as the vulnerability exists in core JWT token handling infrastructure.
RemediationAI
Immediate remediation requires removal of hard-coded cryptographic keys from the JWT Token Handler and implementation of secure secret management for the SERVER_SECRET parameter. Users should upgrade to a patched version of Huly Platform once released by hcengineering; however, no vendor-released patch version has been independently confirmed at time of analysis. As an interim workaround, restrict network access to the JWT token endpoint and implement additional authentication layers (e.g., API gateway token validation) to limit token forging risk. Ensure that the SERVER_SECRET parameter is sourced from secure configuration management (environment variables, vault systems) rather than hard-coded values. Monitor hcengineering's official repository (https://vuldb.com/submit/785631) and security advisories for patch announcements, and consider contacting the vendor directly for remediation timeline if this affects production systems.
More in Huly Platform
View allSame weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19172
GHSA-x32v-jmqh-4323