Back to overview

CVE-2026-46684

CRITICAL
9.5
CVSS 4.0
Description
DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase enterprise token handling can let TokenFilter#doFilter() pass X-DE-TOKEN values to TokenUtils.validate(), which checks only token presence and length before userBOByToken(token) uses JWT.decode() without signature verification, allowing forged tokens with chosen uid and oid values to be accepted when licenseValid=true. This issue is fixed in version 2.10.23.

Metadata

CVE ID
CVE-2026-46684
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-15 21:46 UTC
Published
2026-07-15 19:41 UTC
Last updated
2026-07-15 19:41 UTC
Primary CWE
CWE-347
CWE-347: Improper Verification of Cryptographic Signature
Vendor / Product
dataease / dataease
Sources
cve.org  ·  NVD

Severity & Metrics

9.5 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products (1)
VendorProductPlatformVersions
dataease dataease < 2.10.23
Weakness (CWE)
CWESourceDescription
CWE-347 cna CWE-347: Improper Verification of Cryptographic Signature
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.5 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References (3)
Back to overview