Insecure Token Handling in DataEase by DataEase
CVE-2026-57172

8.3HIGH

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-57172?

DataEase, an open source data visualization and analysis tool, had a significant issue in its ShareSecretManage feature before version 2.10.24. The use of a hardcoded default share link signature key allows attackers to exploit this vulnerability. If an attacker gains access to a passwordless share link for a user, they could craft forged JWTs, bypassing the TokenFilter verification. This enables unauthorized access to backend resources as though they were the original creator of the share, compromising data integrity and user security. The issue was addressed in version 2.10.24, and users are highly encouraged to update their installations to mitigate this risk.

Affected Version(s)

dataease < 2.10.24

References

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.