CVE-2026-25505

CriticalPublic PoC

Published: 04 February 2026

Published

04 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue…

has been patched in version 0.1.7.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly addressing the failure of ManyAPI routes to check authentication.

SC-12 Cryptographic Key Establishment and Management good match

prevent

SC-12 mandates establishment and management of cryptographic keys, preventing hardcoded secrets from being used for JWT signing.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 limits and documents permitted actions without identification or authentication, mitigating unauthorized access to critical ManyAPI functions.

Security SummaryAI

CVE-2026-25505 is a critical authentication vulnerability in Bambuddy, a self-hosted print archive and management system for Bambu Lab 3D printers. In versions prior to 0.1.7, the application commits a hardcoded secret key used for signing JSON Web Tokens (JWTs) directly into the source code, while ManyAPI routes fail to enforce authentication checks. This combination, mapped to CWE-306 (Missing Authentication for Critical Function) and CWE-321 (Hard-coded Cryptography Key), exposes the system to unauthorized access.

The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable by unauthenticated attackers over the network with low complexity and no user interaction required. Remote attackers can forge valid JWTs using the exposed signing secret and access unprotected ManyAPI routes, potentially achieving full compromise of the Bambuddy instance, including unauthorized management of 3D print archives, data exfiltration, modification, or disruption of printing operations.

Mitigation is available in Bambuddy version 0.1.7, which patches the hardcoded key and adds authentication enforcement to the affected routes. Security practitioners should upgrade immediately, as evidenced by the project's CHANGELOG.md, specific commits addressing the issues, and the corresponding pull request on GitHub.

Details

CWE(s): CWE-306 CWE-321

Affected Products

bambuddy

≤ 0.1.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote attackers to forge JWTs using the hardcoded signing key, directly facilitating exploitation of the public-facing Bambuddy web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28
Patch · security-advisories@github.com
https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md
Release Notes · security-advisories@github.com
https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9
Patch · security-advisories@github.com
https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb
Patch · security-advisories@github.com
https://github.com/maziggy/bambuddy/pull/225
Issue Tracking, Patch · security-advisories@github.com
https://github.com/maziggy/bambuddy/releases/tag/v0.1.7
Product, Release Notes · security-advisories@github.com
https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf
Exploit, Vendor Advisory · security-advisories@github.com