#VU126341 Improper Authentication in DataEase - CVE-2025-49001
Published: April 16, 2026
Vulnerability identifier: #VU126341
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-49001
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
DataEase
DataEase
Software vendor:
DataEase
DataEase
Description
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in TokenFilter.java and CommunityTokenFilter.java when handling requests with a crafted X-DE-TOKEN header. A remote attacker can send a specially crafted JWT token to bypass authentication.
The issue occurs because the token is decoded to extract uid and oid without verifying its legitimacy, and processing continues through the filter chain even after token signature verification fails.
Remediation
Install security update from vendor's website.