Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
The vulnerability consists of two related issues (CWE-306, CWE-321). First, the secret key used to sign and verify JWT tokens is hardcoded in the application source code (file backend/app/core/auth.py), meaning anyone with access to the repository knows this key and can independently generate valid, signed JWT tokens for any user. Second, many API routes do not check authentication at all, allowing an unauthenticated attacker direct access to protected resources without needing to possess a valid token.
An unauthenticated network attacker can gain full access to data, modify 3D printer configurations, and perform actions with the highest privileges in the application, which corresponds to maximum impact on system confidentiality, integrity, and availability.
Bambuddy should be updated to version 0.1.7, where the issue has been resolved. After updating, it is recommended to invalidate all existing JWT tokens and change the signing key to a unique, secret value not contained in the source code.
Bambuddy (a self-hosted archive and print management system for Bambu Lab 3D printers) in all versions before 0.1.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HBambuddy
APPBambuddy< 0.1.7