PT-2026-6420 — Github.Com/Lf-Edge/Eve

PT-2026-6420 · Go · Github.Com/Lf-Edge/Eve

Published

2026-02-04

Updated

2026-02-04

CVSS v3.1

6.7

Medium

Vector

AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Impact

The deriveVaultKey function calls retrieveCloudKey which always returns "foobarfoobarfoobarfoobarfoobarfo". When merged with the randomly generated 32-byte key using mergeKeys (16 bytes from each), the last 16 bytes are always "arfoobarfoobarfo". This enables an attacker with physical access to the EVE-OS device to attempt to brute force the remaining 128 bits of key.

Patches

Fixed in 7.10 and 8.12.1-lts

Workarounds

None

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-321CWE-798

Related Identifiers

GHSA-G7VP-J25F-H34P

Affected Products