DataEase is an open source data visualization and analysis platform. A flaw in versions earlier than 2.10.19 allows an attacker to learn the administrator’s password by brute‑forcing the JWT signing secret, because the secret is simply the MD5 hash of the password. This deterministic derivation can be exploited through unprotected API endpoints that validate JWTs. The vulnerability enables a full takeover of the admin account, giving the attacker full control over data, configuration, and other user accounts. The flaw is a direct consequence of CWE‑522, where credentials are exposed through deterministic secret generation, allowing offline guessing. The CVSS score of 8.8 indicates high severity, but low EPSS (<1%) suggests that, as of now, few or no active exploits are observed. Nevertheless, the vulnerability is not yet listed in KEV. Attackers would need to identify a vulnerable instance, enumerate the password hash by sending JWT tokens with guessed passwords, and eventually succeed in guessing the real password to access the admin console. No workaround exists, so the only viable option is to apply the official patch.

DataEase (dataease) versions prior to 2.10.19 are affected.

The high CVSS score highlights the serious impact of the vulnerability, yet the very low EPSS indicates limited exploitation in the wild at present. Because the flaw lies in a deterministic, hash‑derived JWT secret, an attacker who discovers a vulnerable instance can perform offline brute‑force attacks against the admin password through exposed token‑validation endpoints, ultimately achieving full account compromise. The lack of a published workaround or KEV designation does not diminish the urgency of applying the service‑pack release that removes the insecure secret derivation.