Description
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs, bypass TokenFilter verification, and access backend resources as the share creator even if the original share has been revoked. This issue is fixed in version 2.10.24.
Published: 2026-07-07
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from a hardcoded JWT signing secret in DataEase’s ShareLink module. Attackers who can obtain a passwordless share for a resource or user can exploit the known key link-pwd-fit2cloud, forge linkToken JWTs, bypass TokenFilter verification, and access backend resources as the share creator even after the share has been revoked. This allows unauthorized access to protected data and services.

Affected Systems

DataEase dataease, all versions prior to 2.10.24, are affected. The vulnerability exists within the ShareSecretManage component and the hardcoded default share link signature key.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity. EPSS is not available, so exploitation likelihood is uncertain, but the lack of KEV listing does not reduce the potential impact. The attack vector requires access to a valid passwordless share, after which the attacker can easily construct a valid JWT using the hardcoded key. This can be performed without privileged access or code execution, making the flaw highly exploitable for users who share links or expose ShareLink URLs.

Generated by OpenCVE AI on July 8, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released update to DataEase version 2.10.24 or newer, which removes the hardcoded signing secret.
  • Disable ShareLink functionality or revoke all existing share links until the patch is applied.
  • Monitor backend logs for unauthorized linkToken usage and restrict access as an interim containment measure.

Generated by OpenCVE AI on July 8, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Tue, 07 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Description DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs, bypass TokenFilter verification, and access backend resources as the share creator even if the original share has been revoked. This issue is fixed in version 2.10.24.
Title DataEase: Hardcoded JWT Signing Secret in ShareLink
Weaknesses CWE-321
CWE-798
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T13:37:38.831Z

Reserved: 2026-06-24T01:47:55.285Z

Link: CVE-2026-57172

cve-icon Vulnrichment

Updated: 2026-07-08T13:37:09.719Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T16:00:05Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key

  • CWE-798

    Use of Hard-coded Credentials