CVE-2026-25505 PUBLISHED

Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication

Assigner: GitHub_M
Reserved: 02.02.2026 Published: 04.02.2026 Updated: 04.02.2026

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	maziggy
Product	bambuddy
Versions	Version < 0.1.7 is affected

References

https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf
https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9
https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28

Problem Types

CWE-306: Missing Authentication for Critical Function CWE
CWE-321: Use of Hard-coded Cryptographic Key CWE