Cyber Resilience

CVE-2020-36911

CriticalPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1045 95.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2020-36911 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Cobbr Covenant. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2020-36911 is a remote code execution vulnerability affecting Covenant versions 0.1.3 through 0.5. The flaw enables attackers to craft malicious JSON Web Tokens (JWTs) that grant administrative privileges, allowing them to upload custom DLL payloads and execute arbitrary commands on the target system. This issue stems from improper JWT validation, classified under CWE-798 (Use of Hard-coded Credentials), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with network access to the Covenant instance can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation grants full administrative control, enabling remote code execution that compromises confidentiality, integrity, and availability of the system hosting Covenant.

References for this CVE include the official Covenant project page at https://cobbr.io/Covenant.html, a proof-of-concept exploit at https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb, the main Covenant GitHub repository at https://github.com/cobbr/Covenant, and archived discussions such as a Twitter post at https://web.archive.org/web/20201013165001/https://twitter.com/cobbr_io/status/1316058367161401344 and a blog at https://web.archive.org/web/20201101052547/https://blog.null.farm/hunting-the-hunters. Practitioners should consult these for any disclosed patches or mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the…

more

target system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote code execution in a public-facing web application (Covenant server) through crafted JWTs, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30701Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2026-32834Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2026-27073Shared CWE-798
CVE-2026-25202Shared CWE-798
CVE-2025-56749Shared CWE-798
CVE-2025-1393Shared CWE-798
CVE-2024-55927Shared CWE-798

Affected Assets

cobbr
covenant
0.1.3 — 0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper JWT validation by requiring validation of untrusted inputs like forged tokens to prevent granting administrative privileges.

prevent

Ensures proper management, protection, and verification of authenticators such as JWT tokens to block forgery and unauthorized admin access.

prevent

Enforces approved authorizations, preventing invalid JWT tokens from enabling administrative actions like DLL uploads and RCE.

References