CVE-2026-23958: DataEase: authentication bypass via password-derived HMAC JWT signing key
CVE-2026-23958 is verified against dataease · github affected versions: <= v2.10.20 fixed version: v2.10.21 vulnerability class: RCE This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00168.
pruva-verify REPRO-2026-00168 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00168/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh DataEase (a Spring Boot data-visualization platform; the Chinese equivalent of Metabase / Superset) signs its authentication JWTs with an HMAC-SHA256 key derived from the admin password. In the community edition the derivation is literally MD5(SubstituleLoginConfig.getPwd()), and the password defaults to the documented constant DataEase@123456 that ships with every fresh install via dataease.default-pwd.
An unauthenticated, anonymous attacker with only network access can therefore:
- Compute
secret = MD5("DataEase@123456"). - Forge a JWT with header
{alg: HS256, typ: JWT}and payload{uid: 1, oid: 1}. - Present it as the
X-DE-TOKEN(DataEase's auth header) and call any authenticated REST endpoint as the admin user.
This is the first link in a 4-CVE exploit chain (CVE-2026-23958 → 40899 → 40900 → 40901) that culminates in unauthenticated RCE per the OX disclosure.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.