CVE-2026-23958
JWT Secret Exposure in DataEase Enables Admin Password Brute-Force
Publication date: 2026-01-22
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in DataEase versions prior to 2.10.19 involves the use of the MD5 hash of the admin user's password as the secret key to sign JWT tokens. Because the secret is deterministically derived from the password's MD5 hash, attackers can perform brute-force attacks by guessing passwords, computing their MD5 hashes, and testing them against JWT signature validation on unmonitored API endpoints. This allows attackers to recover the admin password without triggering typical security alarms, leading to full account takeover and control over the application. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to brute-force the admin password by exploiting unmonitored API endpoints that validate JWT tokens. Successful exploitation results in full account takeover of the admin user, giving the attacker complete control over the DataEase application. This can lead to unauthorized access, data manipulation, and potential compromise of sensitive information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unmonitored API endpoints that validate JWT tokens, such as `/de2api/license/version`. You can attempt to brute-force the JWT signing secret by computing MD5 hashes of guessed admin passwords and testing them against JWT token signature validation on these endpoints. For example, you might use tools like curl or custom scripts to send requests to the vulnerable API endpoint with forged JWT tokens signed with MD5 hashes of guessed passwords to see if the server accepts them. Specific commands are not provided, but the detection involves testing JWT token validation on unmonitored endpoints to identify if the JWT signing secret is derived from the MD5 hash of the admin password. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade DataEase to version 2.10.19 or later, where the issue has been fixed. No known workarounds are available, so upgrading is strongly recommended to prevent attackers from brute-forcing the admin password via JWT token validation. [1]