{
  "variant_id": "CVE-2026-23958-community-fallback-bypass",
  "root_cause_equivalent": true,
  "explanation": "The variant and the original CVE share the exact same root cause: the JWT HMAC signing/verification secret is derived from a hardcoded default admin password (DataEase@123456) via MD5 hashing. In the original CVE, this occurred in the xpack path where CommunityTokenFilter used userCacheBO.getPwd() (which returned MD5(password)). In the bypass variant, it occurs in the community fallback path where CommunityTokenFilter uses Md5Utils.md5(SubstituleLoginConfig.getPwd()) and SubstituleLoginServer signs JWTs with the same value. Both paths lead to the same sink (Algorithm.HMAC256(secret)) with the same weak, predictable secret.",
  "shared_sinks": [
    "sdk/common/src/main/java/io/dataease/auth/filter/CommunityTokenFilter.java: Algorithm.HMAC256(secret)",
    "core/core-backend/src/main/java/io/dataease/substitute/permissions/login/SubstituleLoginServer.java: Algorithm.HMAC256(md5Pwd)"
  ],
  "shared_root_conditions": [
    "Default admin password is hardcoded as 'DataEase@123456' in SubstituleLoginConfig",
    "JWT secret is derived from MD5(password) instead of a cryptographically random key",
    "Secret is predictable and identical across all default installations"
  ],
  "differing_surfaces": [
    "Original: xpack/enterprise path with loginServer bean present (getPwd -> getSecret fix applied)",
    "Variant: community fallback path with loginServer bean absent (no fix applied)"
  ]
}