Description
SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET is not explicitly set — including the default Docker Compose setup — signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57.
Published: 2026-05-11
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SOCFortress CoPilot shipped a hardcoded JWT signing secret that is used when an environment variable is not supplied. An unauthenticated attacker can request the application to sign tokens with this known value, then forge arbitrary admin‑scoped JWTs. By doing so, the attacker gains unrestricted administrative access to the CoPilot interface and to every security tool integrated with it, enabling further lateral movement across the security operations environment.

Affected Systems

The vulnerability exists in all CoPilot releases prior to 0.1.57, particularly where "JWT_SECRET" is not explicitly configured. Default Docker‑Compose deployments that rely on the provided .env.example are especially affected. Any installation that deploys these older versions without overriding the hardcoded secret is at risk.

Risk and Exploitability

With a CVSS score of 10 the vulnerability is considered critical. The EPSS score is not available, but the lack of any authentication requirement makes exploitation trivial for an attacker with network or web access. The vulnerability is not listed in CISA KEV yet, yet the ability to forge tokens means an attacker can gain full control of the application without material effort. The likely attack vector is the application’s authentication endpoint, where crafted JWTs can be submitted and accepted unconditionally.

Generated by OpenCVE AI on May 11, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SOCFortress CoPilot to version 0.1.57 or later where the hardcoded JWT secret is removed and authentication requires a proper JWT_SECRET environment variable.
  • Configure the JWT_SECRET environment variable with a randomly generated, strong secret for all CoPilot deployments, ensuring the application does not fall back to the hardcoded value.
  • Review and modify any default configuration files such as .env.example so that they do not contain the hardcoded secret or any default values that could be used during deployment.

Generated by OpenCVE AI on May 11, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Socfortress
Socfortress copilot
Vendors & Products Socfortress
Socfortress copilot

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET is not explicitly set — including the default Docker Compose setup — signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57.
Title SOCFortress CoPilot: Hardcoded JWT secret allows unauthenticated full admin compromise and lateral movement into all integrated SOC tools
Weaknesses CWE-287
CWE-522
CWE-798
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Socfortress Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:27:25.252Z

Reserved: 2026-04-30T18:49:06.710Z

Link: CVE-2026-42869

cve-icon Vulnrichment

Updated: 2026-05-12T13:26:57.221Z

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:43.347

Modified: 2026-05-12T14:17:05.463

Link: CVE-2026-42869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:30Z

Weaknesses