CVE-2018-0114 before 0.11.0 unathenticated remote attacker can re-sign using a key embeded in token. https://www.cvedetails.com/cve/CVE-2018-0114/