CVE-2026-5622: Use of Hard-coded Cryptographic Key in hcengineering Huly Platform
A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
This vulnerability affects the JWT Token Handler in hcengineering Huly Platform 0.7.382, specifically in the file foundations/core/packages/token/src/token.ts. The SERVER_SECRET argument is manipulated to use a hard-coded cryptographic key, which weakens cryptographic security. The vulnerability can be exploited remotely but requires high attack complexity. The CVSS 4.0 base score is 6.3, reflecting medium severity. No vendor response or patch is available at this time.
Potential Impact
The use of a hard-coded cryptographic key can undermine the security of JWT tokens, potentially allowing attackers to bypass authentication or authorization mechanisms if they can exploit this vulnerability. However, exploitation is difficult due to high attack complexity, and no known exploits have been reported. The impact is limited to the affected version 0.7.382 of the Huly Platform.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should consider mitigating risk by avoiding use of the affected version or implementing compensating controls around token handling. Monitor for vendor updates or community patches addressing this issue.
CVE-2026-5622: Use of Hard-coded Cryptographic Key in hcengineering Huly Platform
Description
A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the JWT Token Handler in hcengineering Huly Platform 0.7.382, specifically in the file foundations/core/packages/token/src/token.ts. The SERVER_SECRET argument is manipulated to use a hard-coded cryptographic key, which weakens cryptographic security. The vulnerability can be exploited remotely but requires high attack complexity. The CVSS 4.0 base score is 6.3, reflecting medium severity. No vendor response or patch is available at this time.
Potential Impact
The use of a hard-coded cryptographic key can undermine the security of JWT tokens, potentially allowing attackers to bypass authentication or authorization mechanisms if they can exploit this vulnerability. However, exploitation is difficult due to high attack complexity, and no known exploits have been reported. The impact is limited to the affected version 0.7.382 of the Huly Platform.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should consider mitigating risk by avoiding use of the affected version or implementing compensating controls around token handling. Monitor for vendor updates or community patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-05T16:06:11.825Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d33a730a160ebd9261d5bc
Added to database: 4/6/2026, 4:45:39 AM
Last enriched: 4/6/2026, 5:00:26 AM
Last updated: 4/6/2026, 5:53:38 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.