CVE-2026-7018
Received Received - Intake
Hard-Coded Cryptographic Key in Datavines JWT Token Handler

Publication date: 2026-04-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7018
EUVD
EUVD-2026-25693
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
datavane datavines to 13607645e14a4982468cfdbcf75c85cde63bae71 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-320 Key Management Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7018 is a vulnerability in the Datavane Datavines project related to its JWT (JSON Web Token) authentication mechanism. The issue arises from the use of a hardcoded cryptographic key (secret) in the JWT Token Handler and flawed token validation logic.

Specifically, the token validation method improperly compares the password extracted from the token against itself rather than against a stored or expected password, allowing attackers to bypass authentication.

Additionally, the JWT tokens carry plaintext passwords in their claims, which is a critical security risk. The hardcoded secret is a default value "asdqwe" that is used because the configuration key for the secret is missing, making it easy for attackers to forge tokens.

An attacker can remotely exploit this by crafting a JWT token signed with the known hardcoded secret and any arbitrary password, gaining unauthorized access without needing valid credentials.

Compliance Impact

This vulnerability allows an attacker to bypass authentication entirely by exploiting a hardcoded JWT secret and flawed token validation logic. As a result, unauthorized users can access protected API endpoints, including administrative functions and sensitive data such as workspace and datasource configurations that contain database credentials.

Such unauthorized access to sensitive data and administrative controls can lead to violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, the vulnerability undermines the security controls necessary for compliance with these regulations by enabling credential exposure and unauthorized data access.

Impact Analysis

This vulnerability allows an attacker to completely bypass authentication in the Datavines platform.

  • Unauthorized access to all protected API endpoints.
  • Ability to list all workspaces and their datasource configurations, which include sensitive database credentials.
  • Execution of arbitrary operations as any impersonated user, including administrative functions.
  • No valid password or user account is required to exploit this vulnerability.
Detection Guidance

This vulnerability can be detected by attempting to forge a JWT token using the known hardcoded secret and then using that token to access protected API endpoints. If access is granted without valid credentials, the system is vulnerable.

A practical detection method is to generate a forged JWT token with the default secret "asdqwe" and use it to call an API endpoint that requires authentication.

  • Generate a forged JWT token using Python:
  • ```python import jwt, time token = jwt.encode({ 'un': 'admin', 'up': 'FAKE_PASSWORD', 'ct': int(time.time()*1000), 'sub': 'admin', 'exp': int(time.time()) + 315360000 }, 'asdqwe', algorithm='HS256') print(token) ```
  • Use the forged token to access a protected API endpoint, for example:
  • ```bash curl -s http://TARGET:5600/api/v1/workspace/list -H "Authorization: Bearer <forged_token>" ```

If the response returns HTTP 200 with workspace data, it confirms the authentication bypass vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Remove or properly configure the hardcoded JWT secret to prevent use of the default secret "asdqwe".
  • Apply the patch that fixes the token validation logic by:
  • - Adding null and blank checks for token claims.
  • - Changing password validation to use BCrypt password hash verification instead of plaintext comparison.
  • - Eliminating the use of hardcoded secrets in the JWT token handler.
  • - Removing plaintext passwords from JWT claims and instead validating tokens using standard JWT claims and signature verification.

Since the project uses a rolling release model and version information is unavailable, it is advisable to monitor the official repository for the patch identified by commit e540d6dc04e2e6ad11907fb655f3728a13e7b939 and apply it as soon as possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart