{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25505", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T18:21:42.486Z", "datePublished": "2026-02-04T20:06:30.538Z", "dateUpdated": "2026-02-06T18:41:07.205Z"}, "containers": {"cna": {"title": "Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-321", "lang": "en", "description": "CWE-321: Use of Hard-coded Cryptographic Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf"}, {"name": "https://github.com/maziggy/bambuddy/pull/225", "tags": ["x_refsource_MISC"], "url": "https://github.com/maziggy/bambuddy/pull/225"}, {"name": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9", "tags": ["x_refsource_MISC"], "url": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9"}, {"name": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb", "tags": ["x_refsource_MISC"], "url": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb"}, {"name": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28", "tags": ["x_refsource_MISC"], "url": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28"}, {"name": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md", "tags": ["x_refsource_MISC"], "url": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md"}, {"name": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7"}], "affected": [{"vendor": "maziggy", "product": "bambuddy", "versions": [{"version": "< 0.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:41:07.205Z"}, "descriptions": [{"lang": "en", "value": "Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7."}], "source": {"advisory": "GHSA-gc24-px2r-5qmf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T20:35:19.621359Z", "id": "CVE-2026-25505", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:35:30.607Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25505", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T20:35:19.621359Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:35:23.575Z"}}], "cna": {"title": "Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication", "source": {"advisory": "GHSA-gc24-px2r-5qmf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "maziggy", "product": "bambuddy", "versions": [{"status": "affected", "version": "< 0.1.7"}]}], "references": [{"url": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf", "name": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/maziggy/bambuddy/pull/225", "name": "https://github.com/maziggy/bambuddy/pull/225", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9", "name": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb", "name": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28", "name": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md", "name": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7", "name": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321: Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:41:07.205Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25505", "state": "PUBLISHED", "dateUpdated": "2026-02-06T18:41:07.205Z", "dateReserved": "2026-02-02T18:21:42.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T20:06:30.538Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bambuddy:bambuddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "58605F66-D3E4-45BE-A4BC-2E435EBD824B", "versionEndExcluding": "0.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7."}, {"lang": "es", "value": "Bambuddy es un sistema autoalojado de archivo y gesti\u00f3n de impresiones para impresoras 3D Bambu Lab. Antes de la versi\u00f3n 0.1.7, una clave secreta codificada utilizada para firmar JWTs est\u00e1 incluida en el c\u00f3digo fuente y las rutas de ManyAPI no verifican la autenticaci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 0.1.7."}], "id": "CVE-2026-25505", "lastModified": "2026-02-27T20:25:05.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T20:16:07.707", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/maziggy/bambuddy/pull/225"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T20:08:49.304344+00:00", "value": {"mitigation_remediation": ["Upgrade Bambuddy to version\u00a00.1.7 or newer, which removes the hardcoded secret and enforces authentication on all API routes.", "Configure a new, secure JWT signing key by setting the appropriate environment variable (e.g., JWT_SECRET) and restarting the service to ensure the application no longer uses the removed hardcoded key.", "Restrict external access to the Bambuddy API by applying firewall rules or reverse proxy authentication, ensuring only trusted hosts can reach the endpoints."], "summary": {"action": "Apply Patch", "impact": "Unauthorized API Access"}, "threat_synthesis": {"affected_systems": "All deployments of Bambuddy distributed by the maziggy project before version\u00a00.1.7 are affected. The flaw impacts all API routes that did not enforce authentication and the module that signs JWTs with a hardcoded secret. The product is an open\u2011source project maintained by the community.", "description_and_impact": "Bambuddy, a self\u2011hosted print archive and management system for Bambu Lab 3D printers, contained a hardcoded secret key used for signing JWTs and lacked authentication checks on many API routes before version\u00a00.1.7. An attacker who obtains the source code or repository can read the secret value, forge valid JWTs, and call any unsecured API endpoint. This flaw permits unauthenticated users to read sensitive printer job data, issue new print jobs, or modify existing ones, thereby compromising confidentiality, integrity, or availability of the printing infrastructure.", "risk_and_exploitability": "The vulnerability is scored CVSS\u00a09.8, indicating high severity, but the EPSS score is below 1%, reflecting a very low likelihood of exploitation at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote, over the network, because unauthenticated requests to the API can be made from any external host. After inspecting the public source code, an attacker can easily extract the hardcoded key, generate a valid JWT, and then access or control the printer operation APIs. The weakness is classified as improper authentication (CWE\u2011306) and weak cryptographic key management (CWE\u2011321)."}}}}, "created": "2026-02-05T11:39:31.306580+00:00", "updated": "2026-04-18T20:15:09.549362+00:00", "vendors": ["maziggy", "maziggy$PRODUCT$bambuddy"]}