Description
A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the component JWT Handler. Performing a manipulation of the argument SECRET_KEY results in use of default cryptographic key. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used.
Published: 2026-02-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

A flaw in rachelos WeRSS we-mp-rss allows an attacker to manipulate the SECRET_KEY argument used by the JWT handler so that the default cryptographic key is employed. This requires a remote request that specifies the altered key value. The vulnerability was rated as having high complexity and difficult exploitability, but the exploit code is publicly available.

Affected Systems

The issue affects the rachelos WeRSS we-mp-rss product for all releases up to and including version 1.4.8. No other versions or variants are known to be affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating moderate severity, while the EPSS score is below 1%, reflecting a low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. An attacker can remotely bypass authentication by exploiting the default key, potentially allowing unauthorized access to protected resources.

Generated by OpenCVE AI on April 17, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WeRSS we-mp-rss to a version newer than 1.4.8 or apply the vendor's patch that eliminates the default key usage.
  • Configure the application so that the SECRET_KEY setting is a unique, randomly generated value and not left at its default.
  • Until the patch is applied, limit exposure of the JWT authentication endpoint by implementing network access controls or firewall rules that restrict remote connections to trusted hosts.

Generated by OpenCVE AI on April 17, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Rachelos
Rachelos werss We-mp-rss
Vendors & Products Rachelos
Rachelos werss We-mp-rss

Mon, 09 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the component JWT Handler. Performing a manipulation of the argument SECRET_KEY results in use of default cryptographic key. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used.
Title rachelos WeRSS we-mp-rss JWT auth.py default key
Weaknesses CWE-1394
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rachelos Werss We-mp-rss
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:56:44.351Z

Reserved: 2026-02-08T08:30:03.928Z

Link: CVE-2026-2215

cve-icon Vulnrichment

Updated: 2026-02-09T16:03:40.113Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T05:16:25.100

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses