CVE-2026-62241
clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated attacker can harvest a victim's userId, forge a valid HS256 cg_session cookie offline using the known secret, and call GET /api/v1/auth/me to obtain the victim's email address, subscription plan, and secret apiKey. The published clawvet npm package (CLI only) is not affected.
| CWE | CWE-306 CWE-321 |
| Vendor | mohibshaikh |
| Product | clawvet |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for mohibshaikh clawvet
Be the first to know when new critical vulnerabilities affecting mohibshaikh clawvet are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
MohibShaikh / clawvet
0 < 0.7.5
References
Credits
๐ EQSTLab Seyong Kim (@useworld)