CVE-2026-23958

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Dataease versions prior to 2.10.19

Description Dataease, an open source data visualization analysis tool, is susceptible to an account takeover issue. The tool utilizes the MD5 hash of a user’s password as the JWT signing secret. This predictable secret derivation allows an attacker to brute-force an administrator’s password by exploiting unmonitored API endpoints that verify JWT tokens.

Recommendations Update to version 2.10.19 or later.

Exploit

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2026-23958

GHSA-5WVM-4M4Q-RH7J

Affected Products

Dataease

CVE-2026-23958

Weakness Enumeration

Related Identifiers

Affected Products

References · 11