rachelos WeRSS we-mp-rss JWT Handler Weak Secret Key Vulnerability Leading to Authentication Bypass

Vulnerability

A vulnerability exists in rachelos WeRSS we-mp-rss versions through 1.4.8, specifically within the JWT Handler component in the core/auth.py file. The issue arises from the use of hardcoded, weak default secret keys for JWT authentication. Attackers can manipulate the SECRET_KEY argument to revert to the default cryptographic key, which is predictable and corresponds to the project name. This vulnerability allows for the creation of valid administrator tokens, effectively bypassing authentication. The vulnerability can be exploited remotely, and while the complexity of the attack is high, a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for authentication bypass by forging valid JWT tokens, thereby gaining unauthorized access as an administrator.

Added: Feb 9, 2026, 5:19 AM

Updated: Feb 9, 2026, 5:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.2

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.2

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

rachelos WeRSS we-mp-rss JWT Handler Weak Secret Key Vulnerability Leading to Authentication Bypass

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating