This vulnerability arises from the Yeti platform’s handling of JSON Web Tokens. When the YETI_AUTH_SECRET_KEY remains at its default value (SECRET) or is set to a predictable string, the platform accepts any JWT signed with that key without validating the payload. An attacker who learns this key can forge tokens that the system treats as authentic, enabling impersonation of users or service accounts. This misstep constitutes an authentication bypass, allowing unauthorized access to sensitive data or privileged functions. The weakness is identified as CWE‑798, improper configuration leading to insecure default secret usage.

The flaw affects Yeti Platform versions prior to 2.1.12. Any deployment that has not changed the YETI_AUTH_SECRET_KEY from its default (“SECRET”) is vulnerable. The platform is open‑source; the vendor is not listed in CNA records but affected installations are those running the community build without a proper secret.

The exploit requires knowledge of the YETI_AUTH_SECRET_KEY; if left at default, attackers could guess or obtain it from exposed configuration. Once the key is known, an attacker can generate arbitrary JWTs that the service accepts, effectively bypassing authentication and gaining system‑wide access. The CVSS score of 7.5 indicates high severity, though an EPSS score of <1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote or local depending on how the secret is exposed, but it requires the attacker to discover or predict the key.