Bambuddy, a self‑hosted print archive and management system for Bambu Lab 3D printers, contained a hardcoded secret key used for signing JWTs and lacked authentication checks on many API routes before version 0.1.7. An attacker who obtains the source code or repository can read the secret value, forge valid JWTs, and call any unsecured API endpoint. This flaw permits unauthenticated users to read sensitive printer job data, issue new print jobs, or modify existing ones, thereby compromising confidentiality, integrity, or availability of the printing infrastructure.

All deployments of Bambuddy distributed by the maziggy project before version 0.1.7 are affected. The flaw impacts all API routes that did not enforce authentication and the module that signs JWTs with a hardcoded secret. The product is an open‑source project maintained by the community.

The vulnerability is scored CVSS 9.8, indicating high severity, but the EPSS score is below 1%, reflecting a very low likelihood of exploitation at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote, over the network, because unauthenticated requests to the API can be made from any external host. After inspecting the public source code, an attacker can easily extract the hardcoded key, generate a valid JWT, and then access or control the printer operation APIs. The weakness is classified as improper authentication (CWE‑306) and weak cryptographic key management (CWE‑321).