CVE-2026-11618
Received Received - Intake
Authentication Bypass in DTStack Taier via Source Connection Test

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulDB

Description
A vulnerability was determined in DTStack Taier up to 1.4.0. The affected element is the function preHandle of the file taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java of the component Source Connection Test Endpoint. Executing a manipulation can lead to improper authentication. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This patch is called f95389e7f74acec42bcee079a616aaa06f9551d2. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11618
EUVD
EUVD-2026-35291
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
dtstack taier to 1.4.0 (inc)
postgresql jdbc_driver to 42.2.25 (exc)
postgresql jdbc_driver 42.2.25
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in DTStack Taier up to version 1.4.0, specifically in the preHandle function of the LoginInterceptor component. It allows an attacker to bypass authentication by exploiting improper token validation, where any non-empty token is accepted without verifying its signature or validity.

An attacker can then inject a malicious JDBC URL through the Source Connection Test Endpoint, which is passed unsanitized to the database connection manager. This can lead to remote code execution (RCE) by leveraging a vulnerable PostgreSQL JDBC driver that allows loading and executing malicious XML payloads from an attacker-controlled server.

The exploit requires only a few HTTP requests and can result in complete server takeover, including access to all data source credentials and potential lateral movement to connected databases and clusters.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the server running DTStack Taier.

An attacker can gain root privileges, fully compromising the server, accessing all stored data source credentials, and potentially moving laterally to other connected databases and clusters.

This can lead to data breaches, loss of data integrity, service disruption, and unauthorized access to sensitive information.

Detection Guidance

This vulnerability can be detected by checking for improper authentication bypass in the LoginInterceptor component and by identifying malicious JDBC URL parameters in requests to the Source Connection Test Endpoint.

Specifically, detection involves monitoring HTTP requests for the presence of a fake or non-validated token cookie and suspicious JDBC URLs containing dangerous parameters such as autoDeserialize or allowLoadLocalInfile.

Commands to detect exploitation attempts could include inspecting HTTP request logs for unusual token values and JDBC URL patterns, for example using grep or similar tools:

  • grep -i 'Cookie: token=' /var/log/httpd/access.log
  • grep -E 'autoDeserialize|allowLoadLocalInfile|socketFactory' /var/log/httpd/access.log

Additionally, network monitoring tools can be used to detect outbound connections to suspicious external servers hosting malicious XML payloads referenced in JDBC URLs.

Mitigation Strategies

Immediate mitigation steps include applying the security patch that fixes the improper authentication in the LoginInterceptor and updates the PostgreSQL JDBC driver to a patched version.

Specifically, ensure that JWT tokens are properly validated and decrypted, implement a whitelist to block dangerous JDBC URL parameters, and upgrade the PostgreSQL JDBC driver from version 42.2.2 to 42.2.25 or later.

Also, review and restrict access to the Source Connection Test Endpoint to trusted users only, and monitor for suspicious activity as described.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart