Critical severityNVD Advisory· Published Feb 4, 2026· Updated Feb 6, 2026
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
CVE-2026-25505
Description
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bambuddyPyPI | < 0.1.7 | 0.1.7 |
Affected products
2- maziggy/bambuddyv5Range: < 0.1.7
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-gc24-px2r-5qmfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25505ghsaADVISORY
- github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.pyghsax_refsource_MISCWEB
- github.com/maziggy/bambuddy/blob/main/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9ghsax_refsource_MISCWEB
- github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fbghsax_refsource_MISCWEB
- github.com/maziggy/bambuddy/pull/225ghsax_refsource_MISCWEB
- github.com/maziggy/bambuddy/releases/tag/v0.1.7ghsax_refsource_MISCWEB
- github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.