CRITICAL
MohibShaikh
CVE published 2026-07-17
CVE-2026-62241
CVE-2026-62241 is a critical vulnerability in Clawvet self-hosted API server (apps/api) before version 0.7.5. The vulnerability arises from a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts, which is shipped as the default in .env.example. This secret is used to forge valid HS256 cg_session cookies. An attacker can exploit this by harvesting a victim's userId from the unauthenti [truncated]