CVE-2026-7018
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Summary
A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Datavane | Datavines | 13607645e14a4982468cfdbcf75c85cde63bae71 | affected |
Weaknesses
- CWE-321: Use of Hard-coded Cryptographic Key
- CWE-320: Key Management Error
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://vuldb.com/vuln/359597
- https://vuldb.com/vuln/359597/cti
- https://vuldb.com/submit/797305
- https://github.com/datavane/datavines/issues/580
- https://github.com/datavane/datavines/pull/579
- https://github.com/datavane/datavines/issues/580#issue-4206839649
- https://github.com/datavane/datavines/pull/579/changes/e540d6dc04e2e6ad11907fb655f3728a13e7b939
- https://github.com/datavane/datavines/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.