Skip to main content

Datavane Datavines CVE-2026-7018

| EUVDEUVD-2026-25693 LOW
Use of Hard-coded Cryptographic Key (CWE-321)
2026-04-26 VulDB
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.3 (MEDIUM) 2.9 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 26, 2026 - 04:30 vuln.today
CVSS changed
Apr 26, 2026 - 04:22 NVD
5.6 (MEDIUM) 6.3 (MEDIUM)
EUVD ID Assigned
Apr 26, 2026 - 04:15 euvd
EUVD-2026-25693
Analysis Generated
Apr 26, 2026 - 04:15 vuln.today
Patch released
Apr 26, 2026 - 04:15 nvd
Patch available
CVE Published
Apr 26, 2026 - 03:30 nvd
LOW 2.9

DescriptionCVE.org

A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Datavane Datavines up to commit 13607645e14a4982468cfdbcf75c85cde63bae71 uses a hard-coded cryptographic key in the JWT Token Handler component, allowing remote attackers to manipulate the tokenSecret parameter and bypass authentication or forge tokens. The vulnerability requires high attack complexity but has publicly available exploit code; the vendor has been informed via pull request but has not yet merged the fix.

Technical ContextAI

The vulnerability exists in the TokenManager.java component within the JWT Token Handler of Datavines, a Java-based data quality platform. JWT (JSON Web Tokens) are cryptographic tokens used for stateless authentication and authorization. CWE-321 (Use of Hard-Coded Cryptographic Key) indicates the root cause: the application uses a static, embedded cryptographic key for signing or validating JWT tokens rather than deriving keys securely at runtime or loading them from external configuration. An attacker who discovers or predicts this hard-coded key can forge valid JWT tokens with arbitrary claims, effectively impersonating any user or elevating privileges without legitimate credentials. The attack surface is the tokenSecret parameter, which should be dynamically managed but is instead hard-coded in the source.

RemediationAI

Apply the upstream fix from pull request https://github.com/datavane/datavines/pull/579, which contains patch commit e540d6dc04e2e6ad11907fb655f3728a13e7b939. This patch modifies the TokenManager.java component to remove the hard-coded cryptographic key and implement secure key management. Users operating a rolling-release deployment should pull the latest main branch after the patch is merged. If the patch has not yet been merged into the main repository (as indicated by the vendor's lack of response), apply the changes manually from PR/579 or maintain a fork until the upstream project accepts the fix. As a temporary compensating control, restrict network access to JWT token endpoints to trusted internal networks only and implement network-level authentication proxies that validate token requests before they reach the Datavines service; note that this does not fix the underlying cryptographic weakness and should be considered a temporary measure only.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-7018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy