This vulnerability allows an attacker who can determine the YETI_AUTH_SECRET_KEY to create arbitrary JSON Web Tokens that the Yeti platform will accept as authentic. By forging these tokens, a malicious actor could impersonate any user or service account present in the system, potentially accessing sensitive data and performing privileged operations. The weakness resides in the improper handling of the JWT signing key, enabling credential misuse. The vulnerability is documented as CVE-2024-46508 and originates from a configuration limitation rather than a software bug.

The flaw affects Yeti Platform versions prior to 2.1.12. Any deployment that has not changed the default or hard‑coded YETI_AUTH_SECRET_KEY is susceptible. The vendor is not listed in the CNA records, but affected installations are those running the open‑source Yeti platform where the secret key remains at its default value.

The exploit requires knowledge of the current secret key; the key can be default or manually set to a predictable value. Once the key is known, the attacker can generate a valid JWT with any desired claims and present it to the service. The system will accept it without further verification, effectively bypassing authentication. No EPSS score is available and the vulnerability is not present in CISA KEV, but its impact is severe because authentication is compromised. If the secret is not changed, any potential attacker can create valid credentials and impersonate any user, leading to full system compromise.