CVE-2026-57172
Received Received - Intake

Hardcoded Key Bypass in DataEase

Vulnerability report for CVE-2026-57172, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs, bypass TokenFilter verification, and access backend resources as the share creator even if the original share has been revoked. This issue is fixed in version 2.10.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sharesecretmanage sharesecretmanage 2.10.24

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects DataEase, an open source data visualization and analysis tool, specifically versions prior to 2.10.24. The ShareSecretManage component uses a hardcoded default share link signature key. An attacker who obtains a passwordless share for a resource and user can exploit this known key (link-pwd-fit2cloud) to forge linkToken JWTs. This allows the attacker to bypass TokenFilter verification and access backend resources as if they were the share creator, even if the original share has been revoked.

Impact Analysis

The vulnerability can allow an attacker to gain unauthorized access to backend resources by forging authentication tokens. This means sensitive data or functionalities could be accessed or manipulated by unauthorized users, potentially leading to data breaches, loss of data integrity, or unauthorized actions within the system.

Mitigation Strategies

The vulnerability is fixed in DataEase version 2.10.24. Immediate mitigation involves upgrading ShareSecretManage to version 2.10.24 or later to eliminate the use of the hardcoded default share link signature key.

Until the upgrade is applied, avoid using passwordless shares and revoke any existing shares that might be vulnerable to token forgery.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart