{
  "cve_id": "CVE-2026-23958",
  "title": "DataEase authentication bypass via password-derived JWT signing key",
  "reproduced": true,
  "vulnerable_version": "v2.10.10",
  "fixed_version": "v2.10.21",
  "reproduction_method": "docker",
  "reproduction_script": "repro/reproduction_steps.sh",
  "baseline_result": {
    "version": "v2.10.10",
    "anonymous_request": "401",
    "forged_jwt_request": "200",
    "notes": "JWT signed with MD5(DataEase@123456) accepted; downstream license check returns 200 with code 60003"
  },
  "fixed_result": {
    "version": "v2.10.21",
    "same_forged_jwt_request": "401",
    "response_header": "DE-GATEWAY-FLAG: The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256",
    "notes": "Same JWT replayed against same database is rejected"
  },
  "idempotency_confirmed": true,
  "run_count": 2,
  "discrepancies": [
    "Ticket labels v2.10.20 as vulnerable, but Docker image v2.10.20 already contains the getSecret() fix. v2.10.10 is the last confirmed vulnerable Docker image."
  ],
  "artifacts": {
    "logs": [
      "logs/repro_run1.log",
      "logs/repro_run2.log",
      "logs/vulnerable_attack_response.txt",
      "logs/fixed_attack_response.txt",
      "logs/vulnerable_transcript.txt",
      "logs/fixed_transcript.txt"
    ],
    "reports": [
      "repro/rca_report.md",
      "repro/reproduction_steps.sh"
    ]
  },
  "timestamp": "2026-05-25T22:59:00Z"
}