Bypass Record

Valid Accounts × SOCFortress CoPilot

A publicly-reported instance of Valid Accounts bypassing SOCFortress CoPilot, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

SOCFortress CoPilot

Technique

Valid Accounts

MITRE ATT&CK

T1078

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2026-05-11

Config / version noted

Yes

Provenance

www.sentinelone.com
disclosed 2026-05-11 · original source · via exa

Reported as

authentication bypass vulnerability in SOCFortress CoPilot versions prior to 0.1.57... hardcoded JWT signing secret, allowing unauthenticated attackers to forge admin tokens

Mechanism

The backend uses a hardcoded JWT secret as a fallback when JWT_SECRET is not set. Attackers retrieve the public secret from the repository, forge a JWT with admin claims, and submit it to the API. CoPilot accepts the token, granting full administrative access without credentials.

Detection & mitigation

Monitor web server logs for JWT authentication attempts with anomalous token claims (e.g., unexpected 'admin' role) or tokens signed with known hardcoded secrets. Mitigate by immediately rotating the JWT secret to a strong, unique value and ensuring no default secrets remain in configuration files or source code.

Valid Accounts has also been recorded against

CrowdStrike Microsoft SK Shieldus Tripwire

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.