Medium severity6.3OSV Advisory· Published Jul 25, 2024· Updated Apr 15, 2026
CVE-2024-36111
CVE-2024-36111
Description
KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the key is detected to be empty in the configuration file reading logic, the key is empty during actual verification. Using an empty key to generate a JWT token can bypass the login verification and directly take over the back end. Version 1.8.0 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: v1.6.3, v1.6.4, v1.6.5, …
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.