The vulnerability affects yeti-platform prior to version 2.1.12. If the YETI_AUTH_SECRET_KEY environment variable is not set to a value other than the default 'SECRET', attackers can generate valid JSON Web Tokens (JWTs). This occurs because the platform uses a predictable secret key for signing tokens, enabling token forgery and potential unauthorized access. No CVSS score or detailed vendor advisory is provided, and no patch or official remediation level is specified in the data.

Attackers can create valid JWT tokens without authorization if the default secret key is used, potentially allowing unauthorized access to the system or impersonation of users. The impact depends on whether the default secret is changed; if it is, the vulnerability is mitigated. No known exploits in the wild have been reported.

Change the default secret key by setting the YETI_AUTH_SECRET_KEY environment variable to a strong, unique value different from the default 'SECRET'. This action mitigates the vulnerability. Since no official patch or fix is indicated, configuration change is the primary remediation. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.