CVE-2021-40494
Description
A Hardcoded JWT Secret Key in metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A hardcoded JWT secret key in LXDUI through 2.1.3 allows attackers to forge authentication tokens and gain admin access to the host system.
Vulnerability
LXDUI versions through 2.1.3, a web UI for LXD/LXC containers, contain a hardcoded JWT secret key (lxdui.jwt.secret.key) in the default configuration file, as identified in metadata.py [1][4]. The secret key value AC8d83&21Almnis710sds3231 is static and identical across all installations, enabling attackers to forge valid JSON Web Tokens [1][2][3][4].
Exploitation
An attacker with network access to the LXDUI web interface (typically on port 15151) can forge a JWT token using the publicly known hardcoded secret key [1][4]. No prior authentication or user interaction is required; the attacker simply generates a token and presents it to the application, which will authenticate the forged token as if it were a legitimate admin session [2][4].
Impact
Successful exploitation grants the attacker full admin privileges within the LXDUI application, which in turn provides complete control over the underlying LXD container environment [1][2]. An attacker can create, delete, or modify containers, execute commands within containers, and potentially escape to the host system, leading to complete host compromise [2][3].
Mitigation
The vulnerability was patched in commit e4bffeb9d69a5700a642cb6424453d1894e50d84 (merged via pull request #353), where the hardcoded key was replaced with a randomly generated secret using secrets.token_urlsafe(32) on each startup [4]. Users should upgrade to any version after 2.1.3 or apply the commit. If upgrading is not possible, site administrators must manually set a unique lxdui.jwt.secret.key value in the configuration file and restart the service [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lxduiPyPI | <= 2.1.3 | — |
Affected products
3- AdaptiveScale/LXDUIdescription
- Range: <=2.1.3
Patches
1e4bffeb9d69aMerge pull request #353 from Real-XkLi/develop
2 files changed · +3 −2
app/api/utils/authentication.py+3 −1 modified@@ -6,6 +6,7 @@ from app.api.utils import converters import app.__metadata__ as meta import logging +import secrets logging = logging.getLogger(__name__) @@ -21,7 +22,8 @@ def authenticate(username, password): def initAuth(app): APP = meta.APP_NAME tokenExpiration = int(Config().get(APP, '{}.jwt.token.expiration'.format(APP.lower()))) - secretKey = Config().get(APP, '{}.jwt.secret.key'.format(APP.lower())) + # create a new secretKet whenever the system is started + secretKey = secrets.token_urlsafe(32) if (tokenExpiration == None): tokenExpiration = 1200
app/__metadata__.py+0 −1 modified@@ -28,7 +28,6 @@ #lxdui.lxd.sslverify = true #lxdui.lxd.remote.name = host lxdui.jwt.token.expiration = 1200 -lxdui.jwt.secret.key = AC8d83&21Almnis710sds lxdui.admin.user = admin lxdui.conf.dir = {{app_root}}/conf lxdui.conf.file = ${lxdui.conf.dir}/lxdui.conf
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p4xh-4869-8vrgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40494ghsaADVISORY
- github.com/AdaptiveScale/lxdui/commit/e4bffeb9d69a5700a642cb6424453d1894e50d84ghsaWEB
- github.com/AdaptiveScale/lxdui/pull/353ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/lxdui/PYSEC-2021-342.yamlghsaWEB
News mentions
0No linked articles in our index yet.