CVE-2026-23958 – Dataease versions before 2.10.19 use MD5-hashed... (How to Fix)

Q: What is the severity of CVE-2026-23958?

CVE-2026-23958 has a CVSS score of 9.8 (CRITICAL). Dataease versions before 2.10.19 use MD5-hashed passwords as JWT signing secrets, allowing attackers to brute-force admin passwords via unmonitored API endpoints. This vulnerability affects all Dataease deployments using vulnerable versions. Successful exploitation could lead to complete system compromise.

📋 TL;DR

Dataease versions before 2.10.19 use MD5-hashed passwords as JWT signing secrets, allowing attackers to brute-force admin passwords via unmonitored API endpoints. This vulnerability affects all Dataease deployments using vulnerable versions. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Dataease

Versions: All versions prior to 2.10.19

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using default JWT configuration are vulnerable regardless of environment.

📦 What is this software?

Dataease by Dataease

View all CVEs affecting Dataease →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative takeover of Dataease instance, allowing data exfiltration, system manipulation, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized admin access leading to data theft, configuration changes, and privilege escalation within the Dataease environment.

🟢

If Mitigated

Limited impact if strong password policies and network segmentation prevent brute-force attempts.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exposed to brute-force attacks without requiring internal access.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to JWT tokens and ability to brute-force MD5 hashes, which is computationally inexpensive.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.19

Vendor Advisory: https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j

Restart Required: Yes

Instructions:

1. Backup current Dataease installation and data. 2. Download version 2.10.19 from official repository. 3. Stop Dataease service. 4. Replace installation with new version. 5. Restart Dataease service. 6. Verify functionality.

🧯 If You Can't Patch

Implement strict network access controls to limit API endpoint exposure
Enforce strong password policies and monitor for brute-force attempts

🔍 How to Verify

Check if Vulnerable:

Check Dataease version via web interface or configuration files; versions below 2.10.19 are vulnerable.

Check Version:

Check Dataease web interface admin panel or review application configuration files for version information.

Verify Fix Applied:

Confirm version is 2.10.19 or higher and test JWT token generation/validation functionality.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts
Unusual API endpoint access patterns
JWT token validation errors

Network Indicators:

High volume of requests to authentication endpoints
Unusual traffic to JWT-related API endpoints

SIEM Query:

source="dataease" AND (event_type="auth_failure" OR endpoint="*/api/*/jwt*") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2026-23958

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: January 22, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j Exploit,Vendor Advisory
https://www.ox.security/blog/blog-dataease-cve-2026-23958-admin-takeover/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23958, you might also want to check these: