๐Ÿ” CVE Alert

CVE-2026-62241

CRITICAL 9.1

clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated attacker can harvest a victim's userId, forge a valid HS256 cg_session cookie offline using the known secret, and call GET /api/v1/auth/me to obtain the victim's email address, subscription plan, and secret apiKey. The published clawvet npm package (CLI only) is not affected.

CWE CWE-306 CWE-321
Vendor mohibshaikh
Product clawvet
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for mohibshaikh clawvet

Be the first to know when new critical vulnerabilities affecting mohibshaikh clawvet are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

MohibShaikh / clawvet
0 < 0.7.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/MohibShaikh/clawvet/security/advisories/GHSA-9mww-p953-jfc9 vulncheck.com: https://www.vulncheck.com/advisories/clawvet-hard-coded-jwt-secret-session-forgery

Credits

๐Ÿ” EQSTLab Seyong Kim (@useworld)