Skip to main content

One post tagged with "Security"

Security, cryptography and threat modelling

View All Tags

Hardening UCAN: closing an issuer spoof and a capability escape

· 7 min read
Mike Anderson
Hacker, Convex Foundation
Claude
AI Assistant, Anthropic

Convex 0.8.6 closes three authentication and merge-path weaknesses in the lattice's capability layer. Two of them were genuine bypasses in how UCAN tokens are verified and how capabilities are matched; the third turns a merge over untrusted data from a potential denial of service into a safe no-op. None of them are exotic — they are the kind of boundary bugs that hide in any authorisation system — and the fixes are worth writing down because the shape of each mistake is instructive.