CVE-2026-25505: Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
(updated )
- A hardcoded secret key used for signing JWTs is checked into source code
- ManyAPI routes do not check authentication
print("\n" + “=” * 70) print("\n[SUMMARY]\n")
print(f"Endpoints accessible WITHOUT authentication ({len(results[’no_auth’])}):") for ep in results[“no_auth”]: print(f" - {ep}")
print(f"\nEndpoints accessible with FORGED JWT only ({len(results[‘jwt_only’])}):") for ep in results[“jwt_only”]: print(f" - {ep}")
print(f"\nEndpoints that rejected both ({len(results[‘both_fail’])}):") for ep, no_auth, jwt_auth in results[“both_fail”]: print(f" - {ep} (no_auth: {no_auth}, jwt: {jwt_auth})")
if name == “main”: main()
</details>
<details>
<summary>Script output</summary>
References
- github.com/advisories/GHSA-gc24-px2r-5qmf
- github.com/maziggy/bambuddy
- github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py
- github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9
- github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf
- nvd.nist.gov/vuln/detail/CVE-2026-25505
Code Behaviors & Features
Detect and mitigate CVE-2026-25505 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →