Description
A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Assess Impact
AI Analysis

Impact

The vulnerability is introduced by improper authentication in the tool_call function of apps/experimental/tools_webhook/app.py, where manipulation of the X-Tools-JWE HTTP header allows an attacker to bypass authentication. This authentication flaw can enable unauthorized parties to invoke the tool_call endpoint and potentially execute arbitrary code or operations that should be restricted. The weakness is classified as CWE-287 and exposes both confidentiality and integrity risks for systems relying on the RowBoat tools_webhook component.

Affected Systems

RowBoat Laboratories' RowBoat is affected up to version 0.1.67. Any deployment of RowBoat that includes the tools_webhook component and does not apply the latest fixes could be vulnerable. Because the CVE states the flaw exists in "rowboat up to 0.1.67", older releases are included while newer releases are presumed patched. Administrators should verify the exact version installed and consult RowBoat release notes for a fix.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The vulnerability can be exploited remotely, as it does not require local or authenticated access. EPSS data is unavailable, so the current exploitation likelihood is unclear, but the publicly disclosed exploit demonstrates that attacks are feasible. The CVE is not listed in CISA’s KEV catalog, but the presence of a public exploit warrants timely mitigation. The attack vector is presumably HTTP, where an attacker sends a crafted X-Tools-JWE header to gain unauthorized access.

Generated by OpenCVE AI on April 20, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RowBoat to a patched release – newer versions that remove the vulnerability should be installed.
  • Restrict network access to the tools_webhook endpoint, for example by using firewall rules or limiting it to trusted IP ranges.
  • Validate and enforce proper authentication on incoming requests, ensuring the X‑Tools‑JWE header cannot be spoofed or omitted.

Generated by OpenCVE AI on April 20, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Rowboatlabs
Rowboatlabs rowboat
Vendors & Products Rowboatlabs
Rowboatlabs rowboat

Mon, 20 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title rowboatlabs rowboat tools_webhook app.py tool_call improper authentication
Weaknesses CWE-287
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rowboatlabs Rowboat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T13:26:31.802Z

Reserved: 2026-04-19T19:20:06.278Z

Link: CVE-2026-6635

cve-icon Vulnrichment

Updated: 2026-04-20T13:26:28.365Z

cve-icon NVD

Status : Received

Published: 2026-04-20T12:16:09.673

Modified: 2026-04-20T12:16:09.673

Link: CVE-2026-6635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T13:30:05Z

Weaknesses