PatchSiren cyber security CVE debrief
CVE-2026-62241 MohibShaikh CVE debrief
CVE-2026-62241 is a critical vulnerability in Clawvet self-hosted API server (apps/api) before version 0.7.5. The vulnerability arises from a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts, which is shipped as the default in .env.example. This secret is used to forge valid HS256 cg_session cookies. An attacker can exploit this by harvesting a victim's userId from the unauthenticated GET /api/v1/scans endpoint, then forge a valid cookie offline. With this cookie, the attacker can call GET /api/v1/auth/me to obtain the victim's email address, subscription plan, and secret apiKey.
- Vendor
- MohibShaikh
- Product
- clawvet
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Clawvet self-hosted API server (apps/api) versions before 0.7.5 should prioritize upgrading to the latest version. Security teams and administrators responsible for applications using Clawvet should assess their exposure and take immediate action to mitigate potential risks.
Technical summary
The Clawvet self-hosted API server (apps/api) before version 0.7.5 contains a critical vulnerability (CVE-2026-62241) due to a hard-coded fallback JWT secret. This secret is embedded in auth.ts and provided as a default in .env.example. The vulnerability allows a remote unauthenticated attacker to harvest userIds from the GET /api/v1/scans endpoint, forge valid HS256 cg_session cookies using the known secret, and subsequently obtain sensitive victim information by calling GET /api/v1/auth/me.
Defensive priority
High
Recommended defensive actions
- Upgrade Clawvet self-hosted API server (apps/api) to version 0.7.5 or later
- Review and modify the default JWT secret in auth.ts and .env.example
- Implement additional authentication mechanisms for the GET /api/v1/scans endpoint
- Monitor for suspicious activity related to cg_session cookies and userId harvesting
- Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts
Evidence notes
The CVE record was published on 2026-07-17T02:18:11.740Z and has not been modified since then. The NVD entry is currently Received. Limited information is available about the affected scope and vendor remediation efforts.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:11.740Z and has not been modified since then. The NVD entry is currently Received.