CVE-2026-23958

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

D

ataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available.

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j	Exploit Vendor Advisory
https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

17 Feb 2026, 16:28

Type	Values Removed	Values Added
First Time		Dataease dataease Dataease
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j - Exploit, Vendor Advisory
References	~~() https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/ -~~	() https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/ - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:dataease:dataease::::::::

26 Jan 2026, 17:16

Type	Values Removed	Values Added
References		() https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/ -

22 Jan 2026, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 02:15

Updated : 2026-02-17 16:28

NVD link : CVE-2026-23958

Mitre link : CVE-2026-23958

CVE.ORG link : CVE-2026-23958

JSON object : View

Products Affected

dataease

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-23958", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-22T02:15:52.627", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user\u2019s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin\u2019s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available."}], "lastModified": "2026-02-17T16:28:47.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74084BB3-D364-4DCE-A125-A8509D6284BD", "versionEndExcluding": "2.10.19"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}