{
  "variant_id": "CVE-2026-23958-community-fallback-bypass",
  "runtime_type": "docker",
  "images": {
    "vulnerable_variant": {
      "image": "dataease:v2.10.21-no-xpack",
      "derived_from": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21",
      "modification": "Removed /opt/apps/xpack-base.jar, /opt/apps/xpack-permission.jar, /opt/apps/xpack-sync.jar"
    },
    "fixed_reference": {
      "image": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21",
      "digest": "sha256:a36c8a9188b22ced7273b094b1a30394965832ee531d8cb496f03735d43a6f6c"
    },
    "mysql": {
      "image": "mysql:8.4"
    }
  },
  "test_procedure": [
    "Build no-xpack image from official v2.10.21 by stripping xpack JARs",
    "Start isolated MySQL container for each test case",
    "Start DataEase container (no-xpack or regular) linked to its MySQL",
    "Wait for Spring Boot application to finish startup",
    "Send forged JWT in X-DE-TOKEN header to /de2api/menu/query",
    "Record HTTP status code and response headers/body",
    "Send baseline request without token to same endpoint",
    "Stop and remove containers, then repeat for the other image"
  ],
  "observed_behavior": {
    "no_xpack_variant": {
      "forged_jwt_status": 200,
      "baseline_no_token_status": 401,
      "notes": "Forged JWT is accepted; response body contains actual menu JSON proving admin authentication"
    },
    "regular_fixed": {
      "forged_jwt_status": 401,
      "baseline_no_token_status": 401,
      "notes": "Forged JWT rejected with DE-GATEWAY-FLAG header indicating invalid HmacSHA256 signature"
    }
  },
  "test_runs": 2,
  "idempotency": "confirmed"
}