Insecure Token Handling in DataEase by DataEase
CVE-2026-57172
8.3HIGH
What is CVE-2026-57172?
DataEase, an open source data visualization and analysis tool, had a significant issue in its ShareSecretManage feature before version 2.10.24. The use of a hardcoded default share link signature key allows attackers to exploit this vulnerability. If an attacker gains access to a passwordless share link for a user, they could craft forged JWTs, bypassing the TokenFilter verification. This enables unauthorized access to backend resources as though they were the original creator of the share, compromising data integrity and user security. The issue was addressed in version 2.10.24, and users are highly encouraged to update their installations to mitigate this risk.
Affected Version(s)
dataease < 2.10.24
