KubePi - Authentication Bypass (CVE-2023-22463)
155Exploiting IPs reported
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.
CrowdSec analysis
KubePi through version 1.6.2 suffers from an information disclosure vulnerability due to the use of hard-coded JWT signature keys, allowing attackers to forge authentication tokens and gain administrator access to any online project. This flaw, detailed in EUVD, could enable malicious actors to take over Kubernetes clusters managed by KubePi, leading to full compromise of enterprise environments. Upgrading to version 1.6.3 is required to remediate this critical security issue.
CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.
CrowdSec network observations suggest that most exploitation of CVE-2023-22463 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2023-22463 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2023-22463 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.
Attackers exploit the /kubepi/api/v1/users endpoint with a POST request to bypass authentication and create admin users using a hardcoded JWT, gaining unauthorized access to the KubePi management interface.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.