CVE-2026-25505
Published: 04 February 2026
Summary
CVE-2026-25505 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Bambuddy Bambuddy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-25505 is a critical authentication vulnerability in Bambuddy, a self-hosted print archive and management system for Bambu Lab 3D printers. In versions prior to 0.1.7, the application commits a hardcoded secret key used for signing JSON Web Tokens (JWTs) directly into the source code, while ManyAPI routes fail to enforce authentication checks. This combination, mapped to CWE-306 (Missing Authentication for Critical Function) and CWE-321 (Hard-coded Cryptography Key), exposes the system to unauthorized access.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable by unauthenticated attackers over the network with low complexity and no user interaction required. Remote attackers can forge valid JWTs using the exposed signing secret and access unprotected ManyAPI routes, potentially achieving full compromise of the Bambuddy instance, including unauthorized management of 3D print archives, data exfiltration, modification, or disruption of printing operations.
Mitigation is available in Bambuddy version 0.1.7, which patches the hardcoded key and adds authentication enforcement to the affected routes. Security practitioners should upgrade immediately, as evidenced by the project's CHANGELOG.md, specific commits addressing the issues, and the corresponding pull request on GitHub.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5350
Vulnerability details
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue…
more
has been patched in version 0.1.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote attackers to forge JWTs using the hardcoded signing key, directly facilitating exploitation of the public-facing Bambuddy web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations for access to system resources, directly addressing the failure of ManyAPI routes to check authentication.
SC-12 mandates establishment and management of cryptographic keys, preventing hardcoded secrets from being used for JWT signing.
AC-14 limits and documents permitted actions without identification or authentication, mitigating unauthorized access to critical ManyAPI functions.