CRITICAL🇵🇱 Wersja polska

CVE-2026-25505

CVSS 9.8v3.1pub. 2026-02-04upd. 2026-02-27

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.

🤖 AI Analysis
How it works

The vulnerability consists of two related issues (CWE-306, CWE-321). First, the secret key used to sign and verify JWT tokens is hardcoded in the application source code (file backend/app/core/auth.py), meaning anyone with access to the repository knows this key and can independently generate valid, signed JWT tokens for any user. Second, many API routes do not check authentication at all, allowing an unauthenticated attacker direct access to protected resources without needing to possess a valid token.

Impact

An unauthenticated network attacker can gain full access to data, modify 3D printer configurations, and perform actions with the highest privileges in the application, which corresponds to maximum impact on system confidentiality, integrity, and availability.

Mitigation & patch

Bambuddy should be updated to version 0.1.7, where the issue has been resolved. After updating, it is recommended to invalidate all existing JWT tokens and change the signing key to a unique, secret value not contained in the source code.

Who is affected

Bambuddy (a self-hosted archive and print management system for Bambu Lab 3D printers) in all versions before 0.1.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Bambuddy

    APP
    Bambuddy
    < 0.1.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References