{
  "variant_id": "CVE-2026-23958-community-fallback-bypass",
  "verdict": "confirmed_bypass",
  "confidence": "high",
  "explanation": "The official v2.10.21 fix only patched the xpack/enterprise JWT verification path (getPwd -> getSecret). The community fallback path was left completely untouched. By removing the proprietary xpack JARs from the v2.10.21 Docker image, we created a pure open-source deployment. In this deployment, the forged JWT (signed with MD5(\"DataEase@123456\")) is accepted (HTTP 200) by authenticated endpoints, while the same JWT is rejected (HTTP 401) by the regular v2.10.21 image that includes xpack JARs. This proves the fix is incomplete and the community fallback path is a bypass.",
  "tested_versions": {
    "vulnerable_variant": "dataease:v2.10.21-no-xpack (derived from registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21)",
    "fixed_reference": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21"
  },
  "evidence": {
    "variant_reproduced": true,
    "bypass_on_fixed_version": true,
    "bypass_explanation": "The 'fixed' Docker image includes xpack JARs that activate the patched code path. When those JARs are removed (the default for open-source builds), the unpatched community fallback path is activated and the same forged JWT is accepted.",
    "logs": [
      "logs/variant_test.log",
      "logs/no_xpack_bypass_headers.txt",
      "logs/no_xpack_bypass_body.txt",
      "logs/no_xpack_baseline_headers.txt",
      "logs/full_bypass_headers.txt",
      "logs/full_baseline_headers.txt"
    ]
  },
  "blocking_mitigation": null,
  "claim_block_reason": null
}