Critical severity10.0NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-42869
CVE-2026-42869
Description
SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET is not explicitly set — including the default Docker Compose setup — signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
38- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Microsoft’s WinUI agent plugin trims token use by over 70% during developmentHelp Net Security · May 14, 2026
- Microsoft turns Copilot Studio into an AI agent control centerHelp Net Security · May 14, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- It's Patch Tuesday for Microsoft & Not a Zero-Day In SightDark Reading · May 12, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Windows 11 KB5089549 & KB5087420 cumulative updates releasedBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026
- Microsoft Patches 137 VulnerabilitiesSecurityWeek · May 12, 2026
- Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)Tenable Blog · May 12, 2026
- OpenAI Launches 'Daybreak' to Help Build Secure By Design SoftwareInfosecurity Magazine · May 12, 2026
- Veeam Intelligent ResOps unifies data context and recoveryHelp Net Security · May 12, 2026
- Why Agentic AI Is Security's Next Blind SpotThe Hacker News · May 12, 2026
- HEIDI: Free IDE security plugin for open-source vulnerability checksHelp Net Security · May 12, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As CodeRapid7 Blog · May 8, 2026
- Vulnerability in Claude Extension for Chrome Exposes AI Agent to TakeoverSecurityWeek · May 8, 2026
- Anthropic response to 1-click pwn: Shouldn't have clicked 'ok'The Register Security · May 7, 2026
- Worries About AI’s Risks to Humanity Loom Over the Trial Pitting Musk Against OpenAI’s LeadersSecurityWeek · May 7, 2026
- 'TrustFall' Convention Exposes Claude Code Execution RiskDark Reading · May 7, 2026
- From Stuxnet to ChatGPT: 20 News Events That Shaped CyberDark Reading · May 6, 2026
- ServiceNow clears agents for landing with new AI control towerThe Register Security · May 5, 2026
- Security for AI: A strategic framework for closing the AI exposure gapTenable Blog · May 4, 2026
- Lens Agents brings policy control to AI across cloud and desktopHelp Net Security · May 4, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- If AI's So Smart, Why Does It Keep Deleting Production Databases?Dark Reading · May 1, 2026
- Microsoft now lets admins choose pre-installed Store apps to uninstallBleepingComputer · May 1, 2026
- That AI Extension Helping You Write Emails? It’s Reading Them FirstUnit 42 · Apr 30, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026
- Mastering agentic AI security through exposure managementTenable Blog · Apr 29, 2026
- Researchers Uncover 10 In-the-Wild Prompt Injection Payloads Targeting AI AgentsInfosecurity Magazine · Apr 23, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026
- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026
- AI Threat Landscape Digest January-February 2026Check Point Research · Mar 29, 2026
- Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated CodeInfosecurity Magazine · Mar 26, 2026
- How AI Assistants are Moving the Security GoalpostsKrebs on Security · Mar 8, 2026
- Risky Business #826 -- A week of AI mishaps and skulduggeryRisky Business · Feb 25, 2026
- May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEsCrowdStrike Blog