Improper Authentication in DataEase - CVE-2025-49001
Published: April 16, 2026
Vulnerability identifier: #VU126341
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-49001
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in TokenFilter.java and CommunityTokenFilter.java when handling requests with a crafted X-DE-TOKEN header. A remote attacker can send a specially crafted JWT token to bypass authentication.
The issue occurs because the token is decoded to extract uid and oid without verifying its legitimacy, and processing continues through the filter chain even after token signature verification fails.
How to mitigate CVE-2025-49001
Install security update from vendor's website.