CVE-2026-42869

Critical

Published: 11 May 2026

Published

11 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0012 30.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42869 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-9 Previous Logon Notification

addresses: CWE-287 CWE-798

Detects unauthorized successful logons resulting from improper authentication implementations.

AT-2 Literacy Training and Awareness

addresses: CWE-287 CWE-522

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

AT-3 Role-based Training

addresses: CWE-287 CWE-798

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

IA-1 Policy and Procedures

addresses: CWE-287 CWE-798

Documented IA policy and procedures require proper authentication mechanisms to be defined and followed, reducing improper authentication.

IA-13 Identity Providers and Authorization Servers

addresses: CWE-287 CWE-798

Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.

IA-5 Authenticator Management

addresses: CWE-522 CWE-798

Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.

PL-9 Central Management

addresses: CWE-798 CWE-287

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

PS-4 Personnel Termination

addresses: CWE-287 CWE-522

Revoking authenticators and credentials eliminates the ability of terminated individuals to authenticate using prior mechanisms.

NVD Description

SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any…

deployment where JWT_SECRET is not explicitly set — including the default Docker Compose setup — signs all authentication tokens with this publicly known value. An unauthenticated attacker can forge arbitrary admin-scoped JWTs and gain full control of the application and every security tool it manages without any credentials. This vulnerability is fixed in 0.1.57.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-287 CWE-522 CWE-798

AI Security AnalysisAI

AI Category: Enterprise AI Assistants
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: copilot, copilot

References

https://github.com/socfortress/CoPilot/commit/4640511a0cf2e7b144a71375b5b349a8318cb186
security-advisories@github.com
https://github.com/socfortress/CoPilot/pull/814
security-advisories@github.com
https://github.com/socfortress/CoPilot/security/advisories/GHSA-4gxj-hw3c-3x2x
security-advisories@github.com
https://github.com/socfortress/CoPilot/security/advisories/GHSA-4gxj-hw3c-3x2x
134c704f-9b21-4f2e-91b3-4a467353bcc0