CVE-2026-33746

Name of the Vulnerable Software and Affected Versions Convoy versions 3.9.0-beta through 4.5.0

Description Convoy, a KVM server management panel, had a flaw in the JWTService::decode() method where the cryptographic signature of JWT tokens was not verified. The validation process lacked the SignedWith constraint, allowing attackers to forge or modify JWT token payloads, specifically the user uuid claim, without invalidating the token as long as time-based claims were valid. This impacted the SSO authentication flow, enabling an attacker to authenticate as any user by crafting a token with an arbitrary user uuid.

Recommendations Update Convoy to version 4.5.1 or later.