{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23958", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T14:49:06.313Z", "datePublished": "2026-01-22T01:42:11.514Z", "dateUpdated": "2026-01-26T16:18:33.334Z"}, "containers": {"cna": {"title": "DataEase Vulnerable to Brute-Force Attack on Admin JWT Secret Derived from Password that Enables Full Account Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 2.10.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:42:11.514Z"}, "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user\u2019s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin\u2019s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available."}], "source": {"advisory": "GHSA-5wvm-4m4q-rh7j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T21:41:49.212091Z", "id": "CVE-2026-23958", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:42:01.231Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-26T16:18:33.334Z"}, "references": [{"url": "https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-26T16:18:33.334Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23958", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T21:41:49.212091Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:41:55.986Z"}}], "cna": {"title": "DataEase Vulnerable to Brute-Force Attack on Admin JWT Secret Derived from Password that Enables Full Account Takeover", "source": {"advisory": "GHSA-5wvm-4m4q-rh7j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 2.10.19"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user\u2019s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin\u2019s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:42:11.514Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23958", "state": "PUBLISHED", "dateUpdated": "2026-01-26T16:18:33.334Z", "dateReserved": "2026-01-19T14:49:06.313Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T01:42:11.514Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "74084BB3-D364-4DCE-A125-A8509D6284BD", "versionEndExcluding": "2.10.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user\u2019s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin\u2019s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available."}], "id": "CVE-2026-23958", "lastModified": "2026-02-17T16:28:47.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T02:15:52.627", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:00:09.096114+00:00", "value": {"mitigation_remediation": ["Upgrade DataEase to version 2.10.19 or later, which removes the deterministic JWT secret derivation.", "After upgrade, force a password reset for all administrators to eliminate the legacy hash relationship.", "Implement rate\u2011limiting or disable the unauthenticated JWT validation endpoints to prevent brute\u2011force attempts."], "summary": {"action": "Immediate Patch", "impact": "Full Account Takeover via Brute\u2011Force of Admin JWT Secret"}, "threat_synthesis": {"affected_systems": "DataEase (dataease) versions prior to 2.10.19 are affected.", "description_and_impact": "DataEase is an open source data visualization and analysis platform. A flaw in versions earlier than 2.10.19 allows an attacker to learn the administrator\u2019s password by brute\u2011forcing the JWT signing secret, because the secret is simply the MD5 hash of the password. This deterministic derivation can be exploited through unprotected API endpoints that validate JWTs.\n\nThe vulnerability enables a full takeover of the admin account, giving the attacker full control over data, configuration, and other user accounts. The flaw is a direct consequence of CWE\u2011522, where credentials are exposed through deterministic secret generation, allowing offline guessing.\n\nThe CVSS score of 8.8 indicates high severity, but low EPSS (<1%) suggests that, as of now, few or no active exploits are observed. Nevertheless, the vulnerability is not yet listed in KEV. Attackers would need to identify a vulnerable instance, enumerate the password hash by sending JWT tokens with guessed passwords, and eventually succeed in guessing the real password to access the admin console. No workaround exists, so the only viable option is to apply the official patch.", "risk_and_exploitability": "The high CVSS score highlights the serious impact of the vulnerability, yet the very low EPSS indicates limited exploitation in the wild at present. Because the flaw lies in a deterministic, hash\u2011derived JWT secret, an attacker who discovers a vulnerable instance can perform offline brute\u2011force attacks against the admin password through exposed token\u2011validation endpoints, ultimately achieving full account compromise. The lack of a published workaround or KEV designation does not diminish the urgency of applying the service\u2011pack release that removes the insecure secret derivation."}}}}, "created": "2026-01-22T10:08:13.696284+00:00", "updated": "2026-04-18T04:15:05.865106+00:00", "vendors": ["dataease", "dataease$PRODUCT$dataease"]}