DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase enterprise token handling can let TokenFilter#doFilter() pass X-DE-TOKEN values to TokenUtils.validate(), which checks only token presence and length before userBOByToken(token) uses JWT.decode() without signature verification, allowing forged tokens with chosen uid and oid values to be accepted when licenseValid=true. This issue is fixed in version 2.10.23.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Dataease
Dataease dataease |
|
| Vendors & Products |
Dataease
Dataease dataease |
Wed, 15 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase enterprise token handling can let TokenFilter#doFilter() pass X-DE-TOKEN values to TokenUtils.validate(), which checks only token presence and length before userBOByToken(token) uses JWT.decode() without signature verification, allowing forged tokens with chosen uid and oid values to be accepted when licenseValid=true. This issue is fixed in version 2.10.23. | |
| Title | DataEase: Unauthorized Command Execution Vulnerability | |
| Weaknesses | CWE-347 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T19:41:15.036Z
Reserved: 2026-05-15T21:46:51.548Z
Link: CVE-2026-46684
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:00:06Z