← Retour aux CVEs

CVE-2026-25505

CRITICAL

9.8

Description

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie2/4/2026

Derniere modification2/27/2026

Sourcenvd

Observations honeypot0

Produits affectes

bambuddy:bambuddy

Faiblesses (CWE)

CWE-306CWE-321

References

https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28(security-advisories@github.com)

https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md(security-advisories@github.com)

https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9(security-advisories@github.com)

https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb(security-advisories@github.com)

https://github.com/maziggy/bambuddy/pull/225(security-advisories@github.com)

https://github.com/maziggy/bambuddy/releases/tag/v0.1.7(security-advisories@github.com)

https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.