{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-12644",
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "title": "Agent enrollment token reuse in hybrid automation fleet",
      "descriptions": [
        {
          "lang": "en",
          "value": "Bootstrap enrollment tokens remained reusable after expected expiry windows in specific hybrid provisioning paths. An attacker with captured bootstrap material could replay enrollment and register an unauthorized agent inside the telemetry trust domain."
        }
      ],
      "affected": [
        {
          "vendor": "Thorne Security Labs",
          "product": "VAPT Hybrid Agent 2.6 to 2.8 before build 2.8.4",
          "versions": [
            {
              "version": "VAPT Hybrid Agent 2.6.0 through 2.8.3",
              "status": "affected"
            },
            {
              "version": "VAPT Hybrid Agent 2.8.4 and later",
              "status": "unaffected"
            }
          ],
          "defaultStatus": "unknown"
        }
      ],
      "references": [
        {
          "name": "Upgrade bulletin",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vapt.com/advisory/cve-2026-12644"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dr. Elias Thorne"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL"
          }
        }
      ]
    }
  }
}