Vulnerability in DataEase Open Source Tool Allows Forged Token Acceptance
CVE-2026-46684

9.5CRITICAL

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-46684?

DataEase, an open source data visualization and analysis tool, has a significant security flaw in its token handling mechanism before version 2.10.23. The flaw occurs in the processing of authentication tokens, where improper checks allow X-DE-TOKEN values to bypass signature verification. This vulnerability permits attackers to generate forged tokens with arbitrary user IDs and organization IDs, thus potentially gaining unauthorized access when the license validation is enabled. It is crucial for users of DataEase to upgrade to version 2.10.23 or later to mitigate this risk.

Affected Version(s)

dataease < 2.10.23

References

CVSS V4

Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.