| Title | FIT2CLOUD SQLBot 1.3.0 Improper Verification of Cryptographic Signature |
|---|
| Description | SQLBot version 1.3.0 and earlier contains a JWT signature verification bypass vulnerability in the embedded authentication mechanism. The validateEmbedded function explicitly disables both signature verification (verify_signature: False) and expiration verification (verify_exp: False) when decoding JWT tokens, allowing an attacker to forge arbitrary JWT tokens and impersonate any user if they know a valid assistant/embedded ID. |
|---|
| Source | ⚠️ https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-JWT-Signature-Verification-Bypass.md |
|---|
| User | yaowenxiao (UID 82929) |
|---|
| Submission | 12/05/2025 04:29 PM (4 months ago) |
|---|
| Moderation | 03/01/2026 07:31 AM (3 months later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 348292 [Dataease SQLBot up to 1.5.1 JWT Token auth.py validateEmbedded signature verification] |
|---|
| Points | 20 |
|---|