EXECUTIVE SUMMARY:
CVE-2026-48031 with a CVSS score of 9.1 is a critical authentication bypass vulnerability in the Go REST API boilerplate package `github.com/dhax/go-base` affecting all releases prior to version 0.0.0-20260517152733-cc82b9740fa6; the flaw stems from a hard‑coded JWT signing secret set to the literal string “random” in both the default `.env` template and a programmatic fallback in `cmd/serve.go`, and a broken mitigation that only replaces this exact value with a transient in‑memory key. An attacker who can view the public repository (or otherwise obtain the source) learns the secret, then crafts a forged HS256‑signed JWT containing any desired claims—such as an admin email and role—and presents it to the target API over the network without any prior authentication, because the service blindly trusts tokens signed with the known secret. Successful exploitation grants full authentication, allowing the adversary to read, modify, or delete user data, invoke privileged admin endpoints, and obtain fresh refresh tokens, effectively compromising confidentiality, integrity, and availability of the service. Exploitation requires the vulnerable application to be deployed with the default secret unchanged and running on a reachable network interface; any environment where the secret is overridden or the vulnerable version is not used mitigates the attack.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48031 with a CVSS score of 9.1 is a critical authentication bypass vulnerability in the Go REST API boilerplate package `github.com/dhax/go-base` affecting all releases prior to version 0.0.0-20260517152733-cc82b9740fa6; the flaw stems from a hard‑coded JWT signing secret set to the literal string “random” in both the default `.env` template and a programmatic fallback in `cmd/serve.go`, and a broken mitigation that only replaces this exact value with a transient in‑memory key. An attacker who can view the public repository (or otherwise obtain the source) learns the secret, then crafts a forged HS256‑signed JWT containing any desired claims—such as an admin email and role—and presents it to the target API over the network without any prior authentication, because the service blindly trusts tokens signed with the known secret. Successful exploitation grants full authentication, allowing the adversary to read, modify, or delete user data, invoke privileged admin endpoints, and obtain fresh refresh tokens, effectively compromising confidentiality, integrity, and availability of the service. Exploitation requires the vulnerable application to be deployed with the default secret unchanged and running on a reachable network interface; any environment where the secret is overridden or the vulnerable version is not used mitigates the attack.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-mqq6-462x-jxmm