Back to KEVs

CVE-2024-36111

KubePi's JWT token validation has a defect

Basic Information

CVE State
PUBLISHED
Reserved Date
May 20, 2024
Published Date
July 25, 2024
Last Updated
August 02, 2024
Vendor
1Panel-dev
Product
KubePi
Description
KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the key is detected to be empty in the configuration file reading logic, the key is empty during actual verification. Using an empty key to generate a JWT token can bypass the login verification and directly take over the back end. Version 1.8.0 contains a patch for this issue.

CVSS Scores

CVSS v3.1

6.3 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score

Score
61.03% (Percentile: 98.21%) as of 2025-07-29

SSVC Information

Exploitation
poc
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2025-07-07 00:00:00 UTC) Source

References

https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-8q5r-cvcw-4wx7

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-08 12:03:05 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel