Unrated severityOSV Advisory· Published Jan 13, 2026· Updated Mar 5, 2026

Covenant 0.5 - Remote Code Execution (RCE)

CVE-2020-36911

Description

Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system.

Affected products

Cobbr/CovenantOSV

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rbmitreexploit
web.archive.org/web/20201101052547/https://blog.null.farm/hunting-the-huntersmitretechnical-descriptionexploit
www.exploit-db.com/exploits/51141mitreexploit
web.archive.org/web/20201013165001/https://twitter.com/cobbr_io/status/1316058367161401344mitrevendor-advisorypatch
www.vulncheck.com/advisories/covenant-remote-code-execution-rcemitrethird-party-advisory
cobbr.io/Covenant.htmlmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000