CVE-2026-44523

Name of the Vulnerable Software and Affected Versions note-mark (affected versions not specified)

Description The application does not enforce a minimum length or entropy for the JWT SECRET configuration value, accepting any base64-decodable secret regardless of size. In backend/config/utils.go, the Base64Decoded.UnmarshalText() function decodes the secret without validating its length. Additionally, in backend/core/auth.go, tokens are signed using HS256 without minimum key size requirements. Secrets shorter than 32 bytes are susceptible to offline brute-force attacks, which allow an attacker to recover the signing key and forge valid JSON Web Tokens (JWT) for any user, including administrators, leading to full account takeover.

Recommendations Enforce a minimum of 32 bytes (256 bits) for JWT secrets after base64 decoding. Reject weak secrets during configuration parsing in the Base64Decoded.UnmarshalText() function or during configuration validation.