CVE-2026-23958
Published: 22 January 2026
Summary
CVE-2026-23958 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires secure establishment and management of cryptographic keys used for JWT signing, directly preventing the use of weak, deterministic secrets derived from MD5 hashes of user passwords.
Mandates mechanisms to verify the authenticity of sessions and prevent forgery of tokens like JWT through predictable or guessable signing secrets.
Limits consecutive unsuccessful authentication attempts on API endpoints, slowing brute-force guessing of admin passwords to derive JWT secrets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Dataease web app enables unauthenticated network attackers to brute-force admin passwords via JWT verification APIs due to weak MD5-derived signing secret, directly mapping to public app exploitation and password guessing.
NVD Description
Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by…
more
exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available.
Deeper analysisAI
CVE-2026-23958 is a critical authentication vulnerability (CVSS 3.1 score of 9.8) affecting Dataease, an open-source data visualization analysis tool, in versions prior to 2.10.19. The flaw stems from the use of the MD5 hash of a user's password as the JWT signing secret, creating a deterministic derivation that undermines JWT token security. This issue, classified under CWE-522 (Insufficiently Protected Credentials), enables predictable secret computation based on known or guessable passwords.
Any unauthenticated attacker with network access can exploit this vulnerability by brute-forcing the admin password through unmonitored API endpoints that verify JWT tokens. Successful exploitation grants full administrative access, allowing confidentiality, integrity, and availability impacts with high severity, as reflected in the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability was addressed in Dataease version 2.10.19, with details available in the project's GitHub security advisory (GHSA-5wvm-4m4q-rh7j). No known workarounds exist prior to patching. Additional analysis is provided in security blogs such as the OX Security post on the issue.
Details
- CWE(s)