### Impact CVE-2025-13877 is an **authentication bypass vulnerability caused by insecure default JWT key usage** in NocoBase Docker deployments. Because the official one-click Docker deployment configuration historically provided a **public default JWT key**, attackers can **forge valid JWT tokens without possessing any legitimate credentials**. By constructing a token with a known `userId` (commonly the administrator account), an attacker can directly bypass authentication and authorization checks. Successful exploitation allows an attacker to: - Bypass authentication entirely - Impersonate …
GHSA-mv7p-34fv-4874: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments
CVE-2025-13877: NocoBase Docker deployments use a default JWT key, allowing attackers to bypass authentication and impersonate users.