Hardcoded JWT Secret in SOCFortress CoPilot Leads to Security Risks
CVE-2026-42869

10CRITICAL

Key Information:

Vendor

Socfortress

Status
Copilot
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42869?

SOCFortress CoPilot is affected by a vulnerability where a hardcoded JWT signing secret is included as a fallback in its codebase. If users fail to set the JWT_SECRET explicitly, including in default Docker Compose configurations, the application utilizes this known secret to sign authentication tokens. This flaw enables unauthenticated attackers to forge admin-level JWTs, granting them unauthorized access and control over the application and its associated security tools. The issue has been remedied in version 0.1.57.

Affected Version(s)

CoPilot < 0.1.57

References

https://github.com/socfortress/CoPilot/security/advisorie...
x_refsource_CONFIRM
https://github.com/socfortress/CoPilot/pull/814
x_refsource_MISC
https://github.com/socfortress/CoPilot/commit/4640511a0cf...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.