KubePi's Hardcoded Jwtsigkeys allows malicious actor to login with a forged JWT token
Description
KubePi ≤1.6.2 uses hard-coded JWT signing keys, enabling attackers to forge admin tokens and compromise Kubernetes clusters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KubePi ≤1.6.2 uses hard-coded JWT signing keys, enabling attackers to forge admin tokens and compromise Kubernetes clusters.
Vulnerability
Overview
CVE-2023-22463 affects KubePi, a Kubernetes management panel, through version 1.6.2. The root cause is a hard-coded JWT signing key (JwtSigKey) defined in internal/api/v1/session/session.go [4]. This key, "signature_hmac_secret_shared_key", is identical across all deployments, meaning every KubePi instance uses the same secret for signing JSON Web Tokens [1][2].
Exploitation
An attacker with network access to a KubePi instance can forge arbitrary JWT tokens using the publicly known hard-coded key. No authentication is required to exploit this; the attacker simply crafts a token with administrator privileges and presents it to the KubePi API [1]. The vulnerability is trivially exploitable because the key is static and shared globally.
Impact
Successful exploitation allows an attacker to impersonate any user, including the built-in administrator account. From there, the attacker can fully control the KubePi panel and, by extension, the managed Kubernetes cluster(s) [1]. This could lead to data exfiltration, deployment of malicious workloads, or complete cluster compromise.
Mitigation
The vulnerability is fixed in KubePi version 1.6.3 [3]. The fix removes the hard-coded key and instead reads the JWT signing key from the configuration file (app.yml). If the key field is left empty, a random key is generated at startup [2]. There are no workarounds; upgrading to 1.6.3 or later is required.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/KubeOperator/kubepiGo | < 1.6.3 | 1.6.3 |
Affected products
2- KubeOperator/KubePiv5Range: < 1.6.3
Patches
13be58b8df5bcfix: 解决 jwt 硬编码导致的 k8s 集群接管漏洞
6 files changed · +36 −10
conf/app.yml+3 −1 modified@@ -12,4 +12,6 @@ spec: db: path: /var/lib/kubepi/db/kubepi.db session: - expires: 24 \ No newline at end of file + expires: 24 + jwt: + key: \ No newline at end of file
internal/api/v1/session/session.go+1 −2 modified@@ -32,7 +32,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -var JwtSigKey = []byte("signature_hmac_secret_shared_key") var jwtMaxAge = 10 * time.Minute type Handler struct { @@ -51,7 +50,7 @@ func NewHandler() *Handler { roleService: role.NewService(), rolebindingService: rolebinding.NewService(), ldapService: ldap.NewService(), - jwtSigner: jwt.NewSigner(jwt.HS256, JwtSigKey, jwtMaxAge), + jwtSigner: jwt.NewSigner(jwt.HS256, server.Config().Spec.Jwt.Key, jwtMaxAge), } }
internal/api/v1/v1.go+1 −2 modified@@ -401,8 +401,7 @@ func resourceNameInvalidHandler() iris.Handler { } func WarpedJwtHandler() iris.Handler { - - verifier := jwt.NewVerifier(jwt.HS256, session.JwtSigKey) + verifier := jwt.NewVerifier(jwt.HS256, server.Config().Spec.Jwt.Key) verifier.WithDefaultBlocklist() verifyMiddleware := verifier.Verify(func() interface{} { return new(session.UserProfile)
internal/config/config.go+25 −5 modified@@ -1,12 +1,15 @@ package config import ( + "crypto/rand" "encoding/json" "fmt" "github.com/KubeOperator/kubepi/internal/model/v1/config" "github.com/KubeOperator/kubepi/pkg/file" "github.com/coreos/etcd/pkg/fileutil" "github.com/spf13/viper" + "math/big" + "strconv" ) const configNotFoundSkipErr = "config file not found in %s, skip" @@ -17,7 +20,7 @@ var configFilePaths = []string{ "/etc/kubepi", } -func ReadConfig(c *config.Config, path ...string) error { +func ReadConfig(c *config.Config, path ...string) error { v := viper.New() v.SetConfigName("app") v.SetConfigType("yaml") @@ -41,19 +44,36 @@ func ReadConfig(c *config.Config, path ...string) error { if err := v.MergeInConfig(); err != nil { fmt.Println(fmt.Sprintf(configMergeErr, configFilePaths)) } + } var configMap map[string]interface{} if err := v.Unmarshal(&configMap); err != nil { - return err + return err } str, err := json.Marshal(&configMap) if err != nil { - return err + return err } if err := json.Unmarshal(str, &c); err != nil { - return nil + return nil + } + if c.Spec.Jwt.Key == "" { + v.Set("spec.jwt.key", generate(32)) + if err := v.WriteConfig(); err != nil { + return err + } } - return nil + return nil } +func generate(length int) string { + const base = 36 + size := big.NewInt(base) + n := make([]byte, length) + for i := range n { + c, _ := rand.Int(rand.Reader, size) + n[i] = strconv.FormatInt(c.Int64(), base)[0] + } + return string(n) +}
internal/model/v1/config/config.go+5 −0 modified@@ -12,6 +12,7 @@ type Spec struct { DB DBConfig `json:"db"` Session SessionConfig `json:"session"` Logger LoggerConfig `json:"logger"` + Jwt JwtConfig `json:"jwt"` AppId string `json:"appId"` } @@ -42,3 +43,7 @@ type DBConfig struct { type SessionConfig struct { Expires int `json:"expires"` } + +type JwtConfig struct { + Key string `json:"key"` +}
internal/server/server.go+1 −0 modified@@ -340,6 +340,7 @@ func getDefaultConfig() *v1Config.Config { Expires: 72, }, Logger: v1Config.LoggerConfig{Level: "debug"}, + Jwt: v1Config.JwtConfig{}, }, } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vjhf-8vqx-vqpqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22463ghsaADVISORY
- github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.goghsax_refsource_MISCWEB
- github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8bghsax_refsource_MISCWEB
- github.com/KubeOperator/KubePi/releases/tag/v1.6.3ghsax_refsource_MISCWEB
- github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.