CVE-2026-42869

Name of the Vulnerable Software and Affected Versions SOCFortress CoPilot versions prior to 0.1.57

Description The application contains a hardcoded JSON Web Token (JWT) signing secret used as a fallback value in the backend/app/auth/utils.py file and the .env.example file. In deployments where the JWT SECRET variable is not explicitly configured, such as the default Docker Compose setup, the system uses this publicly known value to sign authentication tokens. This allows an unauthenticated attacker to forge admin-scoped tokens and gain full control over the application and its managed security tools.

Recommendations Update to version 0.1.57. Explicitly set the JWT SECRET variable in the environment configuration to replace the default fallback value.