CVE-2026-57172 in DataEase
Summary
by MITRE • 07/07/2026
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use the known key link-pwd-fit2cloud to forge linkToken JWTs, bypass TokenFilter verification, and access backend resources as the share creator even if the original share has been revoked. This issue is fixed in version 2.10.24.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability in DataEase affects versions prior to 2.10.24 and involves a critical security flaw in the ShareSecretManage component that undermines the integrity of the sharing mechanism. This weakness stems from the use of a hardcoded default share link signature key, which creates a predictable authentication vector that can be exploited by malicious actors. The issue specifically impacts the JWT token generation process where the system relies on a static secret key rather than implementing proper cryptographic randomness or dynamic key generation. According to CWE-327, this vulnerability represents a significant weakness in cryptographic implementation, as it employs a hardcoded secret that violates fundamental security principles for secure token creation.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating a persistent threat vector that allows attackers to bypass the TokenFilter verification mechanism entirely. An attacker who obtains a passwordless share link for any resource and user can leverage the known key "link-pwd-fit2cloud" to forge valid linkToken JWTs without requiring legitimate credentials or authorization. This exploitation pathway enables unauthorized access to backend resources as if the original share creator had granted permissions, effectively circumventing all access controls that should have been in place. The vulnerability is particularly dangerous because it maintains access even after the original share has been revoked, creating a persistent backdoor that persists beyond normal administrative controls.
This security flaw directly relates to ATT&CK technique T1078.004 which covers legitimate credentials and T1566.002 which involves credential harvesting through social engineering or system exploitation. The vulnerability creates an environment where attackers can maintain unauthorized access through forged tokens, essentially providing a permanent method of bypassing authentication. The hardcoded key implementation represents a failure in proper key management practices that should align with NIST SP 800-57 guidelines for cryptographic key management and secure credential handling. Organizations using DataEase versions prior to 2.10.24 face significant risk as this vulnerability allows for unauthorized data access, potential information disclosure, and could enable further exploitation through lateral movement within affected systems.
The recommended mitigation involves immediate upgrade to version 2.10.24 or later where the hardcoded default signature key has been replaced with a proper dynamic key generation mechanism. System administrators should also implement additional monitoring for unusual token generation patterns and access attempts that might indicate exploitation of this vulnerability. Organizations should conduct thorough security audits of all DataEase installations to identify any potentially compromised shares and revoke access to affected resources. The fix addresses the root cause by implementing proper cryptographic practices that ensure each share link uses a unique, randomly generated signature key rather than relying on static credentials that can be discovered and exploited by attackers.