Skip to content

[Security] Fix 6 vulnerabilities: Plaintext Passwords, Hardcoded JWT, Default Accounts, Missing SECRET_KEY (CWE-256, CWE-798, CWE-1392, CWE-532)#350

Open
saaa99999999 wants to merge 2 commits into
melihcolpan:masterfrom
saaa99999999:security-fixes
Open

[Security] Fix 6 vulnerabilities: Plaintext Passwords, Hardcoded JWT, Default Accounts, Missing SECRET_KEY (CWE-256, CWE-798, CWE-1392, CWE-532)#350
saaa99999999 wants to merge 2 commits into
melihcolpan:masterfrom
saaa99999999:security-fixes

Conversation

@saaa99999999
Copy link
Copy Markdown

@saaa99999999 saaa99999999 commented May 16, 2026
edited
Loading

Security Issues Fixed

1. Plaintext Password Storage (CWE-312) — Critical

All user passwords were stored as plaintext in the SQLite database. The User model defined passwords as a plain string column with no hashing:

:

Login compared raw password strings directly in the SQL query:

Password reset read and wrote plaintext passwords:

Anyone with database access (SQL injection, backup leak, insider threat) can read every user password in cleartext.

Fix: Added bcrypt password hashing via set_password()/check_password() methods on the User model:

:

Updated Register handler:

Updated Login handler:

Updated ResetPassword handler:

Also added to .

2. Hardcoded JWT Secrets (CWE-798) — Critical

had hardcoded JWT signing keys:

Anyone who knows these strings can forge valid tokens for any user, including admin and super_admin roles.

Fix: Read secrets from environment variables:

Other Fixes

  • Removed password from User.repr to prevent plaintext password exposure in logs
  • Removed automatic creation of default users (super_admin, admin, test_user) with hardcoded credentials
  • Changed FLASK_DEBUG from hardcoded True to read from environment variable

@claude
fix: critical security vulnerabilities
2ad4d25 
- Remove hardcoded JWT secrets (use JWT_SECRET/REFRESH_JWT_SECRET env vars)
- Add SECRET_KEY from environment (required, not defaulted)
- Remove hardcoded DEBUG=True (default to False)
- Remove default admin accounts (sa/admin/test user)
- Remove plaintext password from User.__repr__

Co-Authored-By: Security Researcher <noreply@anthropic.com>
@saaa99999999 saaa99999999 changed the title fix: 5 critical security vulnerabilities [Security] Fix 6 vulnerabilities: Plaintext Passwords, Hardcoded JWT, Default Accounts, Missing SECRET_KEY (CWE-256, CWE-798, CWE-1392, CWE-532) May 16, 2026
@saaa99999999
fix: add bcrypt password hashing to replace plaintext storage
b2321d8 
Passwords were stored as plaintext in the database and compared
directly during login and password reset. This adds bcrypt hashing
via set_password/check_password methods on the User model.
@saaa99999999
Copy link
Copy Markdown
Author

saaa99999999 commented May 19, 2026

CVE Request — Action Needed from Maintainer

This PR fixes security vulnerabilities. To assign a CVE number:

GitHub only issues CVEs from the official upstream repository, not from forks.

Please:

  1. Go to this repo → SecurityAdvisoriesNew draft security advisory
  2. Add @saaa99999999 as a collaborator
  3. I will populate the full vulnerability details (CVSS, CWE, data flow, PoC) and submit the CVE request

If you prefer, I can submit the CVE via MITRE (cveform.mitre.org) instead — just let me know.

Thank you for reviewing this PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saaa99999999