Skip to main content

Clawvet

1 CVEs product

Monthly

CVE-2026-62241 CRITICAL PATCH Act Now

Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.

Authentication Bypass Node.js Clawvet
NVD GitHub VulDB
CVSS 4.0
9.3
CVSS 9.3
CRITICAL PATCH Act Now

Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.

Authentication Bypass Node.js Clawvet
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy