### Impact
Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances.
### Patches
The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4.
### Workarounds
Users should upgrade to CasaOS 0.4.4. If they can’t, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
### References
– 705bf1fRead More