PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62241 MohibShaikh CVE debrief

CVE-2026-62241 is a critical vulnerability in Clawvet self-hosted API server (apps/api) before version 0.7.5. The vulnerability arises from a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts, which is shipped as the default in .env.example. This secret is used to forge valid HS256 cg_session cookies. An attacker can exploit this by harvesting a victim's userId from the unauthenticated GET /api/v1/scans endpoint, then forge a valid cookie offline. With this cookie, the attacker can call GET /api/v1/auth/me to obtain the victim's email address, subscription plan, and secret apiKey.

Vendor
MohibShaikh
Product
clawvet
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Clawvet self-hosted API server (apps/api) versions before 0.7.5 should prioritize upgrading to the latest version. Security teams and administrators responsible for applications using Clawvet should assess their exposure and take immediate action to mitigate potential risks.

Technical summary

The Clawvet self-hosted API server (apps/api) before version 0.7.5 contains a critical vulnerability (CVE-2026-62241) due to a hard-coded fallback JWT secret. This secret is embedded in auth.ts and provided as a default in .env.example. The vulnerability allows a remote unauthenticated attacker to harvest userIds from the GET /api/v1/scans endpoint, forge valid HS256 cg_session cookies using the known secret, and subsequently obtain sensitive victim information by calling GET /api/v1/auth/me.

Defensive priority

High

Recommended defensive actions

  • Upgrade Clawvet self-hosted API server (apps/api) to version 0.7.5 or later
  • Review and modify the default JWT secret in auth.ts and .env.example
  • Implement additional authentication mechanisms for the GET /api/v1/scans endpoint
  • Monitor for suspicious activity related to cg_session cookies and userId harvesting
  • Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts

Evidence notes

The CVE record was published on 2026-07-17T02:18:11.740Z and has not been modified since then. The NVD entry is currently Received. Limited information is available about the affected scope and vendor remediation efforts.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:11.740Z and has not been modified since then. The NVD entry is currently Received.