Improper Authentication in DataEase - CVE-2026-46684
Published: June 18, 2026
Vulnerability identifier: #VU134820
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-46684
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to improper authentication in TokenFilter and CommunityTokenFilter when handling requests to authenticated functionality and datasource operations. A remote attacker can forge a sufficiently long JWT to access protected endpoints and supply a crafted Redshift JDBC URL to write a malicious script that is later executed to execute arbitrary commands.
This issue affects the enterprise edition when license validation is enabled, because JWT payload fields are accepted without signature verification.
How to mitigate CVE-2026-46684
Install security update from vendor's website.