{
  "variant_id": "CVE-2026-23958-community-fallback-bypass",
  "created_at": "2026-05-25T23:22:00Z",
  "variant_summary": "The official v2.10.21 fix for CVE-2026-23958 only patched the xpack/enterprise JWT verification path (getPwd -> getSecret). The community-edition fallback path in CommunityTokenFilter and SubstituleLoginServer was left untouched. When DataEase is deployed without proprietary xpack JARs (pure open-source build), the JWT is still signed and verified with MD5(default_password), allowing an unauthenticated attacker to forge admin JWTs.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/dataease/dataease",
  "submitted_target": {
    "target_kind": "docker_image",
    "version": "v2.10.10",
    "display": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.10"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "commit_sha": "e1085ffb75f42b6aca117edf36b30276bfdfe9aa",
    "version": "v2.10.21",
    "display": "dataease:v2.10.21-no-xpack (derived from registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "JWT authentication bypass via password-derived HMAC secret in community fallback path",
  "validated_surface": "Forged JWT accepted by /de2api/menu/query on no-xpack v2.10.21; rejected by regular v2.10.21",
  "required_entrypoint_kind": "http_api",
  "required_entrypoint_detail": "Any authenticated REST endpoint under /de2api/* when served by a no-xpack deployment",
  "attacker_controlled_input": "X-DE-TOKEN header containing a JWT forged with MD5(\"DataEase@123456\") secret",
  "trigger_path": "TokenFilter.doFilter -> CommunityTokenFilter.doFilter -> if (loginServer absent) -> Md5Utils.md5(SubstituleLoginConfig.getPwd())",
  "observed_impact_class": "authentication_bypass",
  "exploitability_confidence": "high",
  "evidence_scope": "runtime_tested",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "file_path": "sdk/common/src/main/java/io/dataease/auth/filter/CommunityTokenFilter.java",
  "line_start": 38,
  "line_end": 41,
  "secondary_anchors": [
    {
      "file_path": "core/core-backend/src/main/java/io/dataease/substitute/permissions/login/SubstituleLoginServer.java",
      "line_start": 35,
      "line_end": 38
    },
    {
      "file_path": "sdk/common/src/main/java/io/dataease/auth/config/SubstituleLoginConfig.java",
      "line_start": 44,
      "line_end": 55
    }
  ],
  "review_scope_paths": [
    "sdk/common/src/main/java/io/dataease/auth/filter/CommunityTokenFilter.java",
    "core/core-backend/src/main/java/io/dataease/substitute/permissions/login/SubstituleLoginServer.java",
    "sdk/common/src/main/java/io/dataease/auth/config/SubstituleLoginConfig.java"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/variant_test.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": ["vuln_variant/reproduction_steps.sh"]
  }
}