CVE-2026-23958
Unknown Unknown - Not Provided
JWT Secret Exposure in DataEase Enables Admin Password Brute-Force

Publication date: 2026-01-22

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23958
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in DataEase versions prior to 2.10.19 involves the use of the MD5 hash of the admin user's password as the secret key to sign JWT tokens. Because the secret is deterministically derived from the password's MD5 hash, attackers can perform brute-force attacks by guessing passwords, computing their MD5 hashes, and testing them against JWT signature validation on unmonitored API endpoints. This allows attackers to recover the admin password without triggering typical security alarms, leading to full account takeover and control over the application. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker to brute-force the admin password by exploiting unmonitored API endpoints that validate JWT tokens. Successful exploitation results in full account takeover of the admin user, giving the attacker complete control over the DataEase application. This can lead to unauthorized access, data manipulation, and potential compromise of sensitive information. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unmonitored API endpoints that validate JWT tokens, such as `/de2api/license/version`. You can attempt to brute-force the JWT signing secret by computing MD5 hashes of guessed admin passwords and testing them against JWT token signature validation on these endpoints. For example, you might use tools like curl or custom scripts to send requests to the vulnerable API endpoint with forged JWT tokens signed with MD5 hashes of guessed passwords to see if the server accepts them. Specific commands are not provided, but the detection involves testing JWT token validation on unmonitored endpoints to identify if the JWT signing secret is derived from the MD5 hash of the admin password. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade DataEase to version 2.10.19 or later, where the issue has been fixed. No known workarounds are available, so upgrading is strongly recommended to prevent attackers from brute-forcing the admin password via JWT token validation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart