Covenant 0.5 - Remote Code Execution (RCE) | Advisories

Advisories

Covenant 0.5 - Remote Code Execution (RCE)

severity: critical
date: January 13, 2026
Affecting: Covenant <= 0.5
CVE: CVE-2020-36911
CWE: CWE-798 Use of Hard-coded Credentials
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51141
Vendor Homepage
Covenant GitHub Repository
Archived Researcher Blog
Exploit Repository
Archived Maintainer Patch Announcement
Credit: coastal
Description: Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system.