CVE-2026-6635

Summary

A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
rowboatlabsrowboat0.1.0affected
rowboatlabsrowboat0.1.1affected
rowboatlabsrowboat0.1.2affected
rowboatlabsrowboat0.1.3affected
rowboatlabsrowboat0.1.4affected
rowboatlabsrowboat0.1.5affected
rowboatlabsrowboat0.1.6affected
rowboatlabsrowboat0.1.7affected
rowboatlabsrowboat0.1.8affected
rowboatlabsrowboat0.1.9affected
rowboatlabsrowboat0.1.10affected
rowboatlabsrowboat0.1.11affected
rowboatlabsrowboat0.1.12affected
rowboatlabsrowboat0.1.13affected
rowboatlabsrowboat0.1.14affected
rowboatlabsrowboat0.1.15affected
rowboatlabsrowboat0.1.16affected
rowboatlabsrowboat0.1.17affected
rowboatlabsrowboat0.1.18affected
rowboatlabsrowboat0.1.19affected
rowboatlabsrowboat0.1.20affected
rowboatlabsrowboat0.1.21affected
rowboatlabsrowboat0.1.22affected
rowboatlabsrowboat0.1.23affected
rowboatlabsrowboat0.1.24affected
rowboatlabsrowboat0.1.25affected
rowboatlabsrowboat0.1.26affected
rowboatlabsrowboat0.1.27affected
rowboatlabsrowboat0.1.28affected
rowboatlabsrowboat0.1.29affected
rowboatlabsrowboat0.1.30affected
rowboatlabsrowboat0.1.31affected
rowboatlabsrowboat0.1.32affected
rowboatlabsrowboat0.1.33affected
rowboatlabsrowboat0.1.34affected
rowboatlabsrowboat0.1.35affected
rowboatlabsrowboat0.1.36affected
rowboatlabsrowboat0.1.37affected
rowboatlabsrowboat0.1.38affected
rowboatlabsrowboat0.1.39affected
rowboatlabsrowboat0.1.40affected
rowboatlabsrowboat0.1.41affected
rowboatlabsrowboat0.1.42affected
rowboatlabsrowboat0.1.43affected
rowboatlabsrowboat0.1.44affected
rowboatlabsrowboat0.1.45affected
rowboatlabsrowboat0.1.46affected
rowboatlabsrowboat0.1.47affected
rowboatlabsrowboat0.1.48affected
rowboatlabsrowboat0.1.49affected
rowboatlabsrowboat0.1.50affected
rowboatlabsrowboat0.1.51affected
rowboatlabsrowboat0.1.52affected
rowboatlabsrowboat0.1.53affected
rowboatlabsrowboat0.1.54affected
rowboatlabsrowboat0.1.55affected
rowboatlabsrowboat0.1.56affected
rowboatlabsrowboat0.1.57affected
rowboatlabsrowboat0.1.58affected
rowboatlabsrowboat0.1.59affected
rowboatlabsrowboat0.1.60affected
rowboatlabsrowboat0.1.61affected
rowboatlabsrowboat0.1.62affected
rowboatlabsrowboat0.1.63affected
rowboatlabsrowboat0.1.64affected
rowboatlabsrowboat0.1.65affected
rowboatlabsrowboat0.1.66affected
rowboatlabsrowboat0.1.67affected

Weaknesses

  • CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References