CVE-2025-26340
CVE-2025-26340
In short
Q-Free MaxTime uses a hardcoded cryptographic key to sign authentication tokens, allowing attackers to forge valid tokens and bypass login requirements without needing legitimate credentials.
Technical detail
CWE-321 vulnerability in JWT signing mechanism uses a hardcoded cryptographic key in Q-Free MaxTime ≤2.11.0. An unauthenticated remote attacker can forge valid JWT tokens via crafted HTTP requests, achieving authentication bypass without pre-existing credentials.
Summary generated and translated by AI from the official description.
A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →