Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.

Basic Information

ID CVE-2026-25505

Source GitHub_M

Published Feb 4, 2026 at 20:06

Modified Feb 4, 2026 at 20:35

Affected Product

Vendor maziggy

Product bambuddy

Version < 0.1.7

Affected Versions maziggy bambuddy < 0.1.7

CWE Classification

CWE-306 CWE-321

References

{
    "lastseen": "",
    "description": "Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.",
    "published": "2026-02-04T20:06:30.538Z",
    "modified": "2026-02-04T20:35:30.607Z",
    "type": "cve",
    "title": "Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication",
    "source": "GitHub_M",
    "references": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf\nhttps://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9\nhttps://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28",
    "id": "CVE-2026-25505",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306",
        "CWE-321"
    ],
    "cvelist": null,
    "sourceData": "maziggy bambuddy < 0.1.7",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "bambuddy",
    "version": "< 0.1.7",
    "vendor": "maziggy",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication_CVE-2026-25505