Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.
AnalysisAI
Datavane Datavines up to commit 13607645e14a4982468cfdbcf75c85cde63bae71 uses a hard-coded cryptographic key in the JWT Token Handler component, allowing remote attackers to manipulate the tokenSecret parameter and bypass authentication or forge tokens. The vulnerability requires high attack complexity but has publicly available exploit code; the vendor has been informed via pull request but has not yet merged the fix.
Technical ContextAI
The vulnerability exists in the TokenManager.java component within the JWT Token Handler of Datavines, a Java-based data quality platform. JWT (JSON Web Tokens) are cryptographic tokens used for stateless authentication and authorization. CWE-321 (Use of Hard-Coded Cryptographic Key) indicates the root cause: the application uses a static, embedded cryptographic key for signing or validating JWT tokens rather than deriving keys securely at runtime or loading them from external configuration. An attacker who discovers or predicts this hard-coded key can forge valid JWT tokens with arbitrary claims, effectively impersonating any user or elevating privileges without legitimate credentials. The attack surface is the tokenSecret parameter, which should be dynamically managed but is instead hard-coded in the source.
RemediationAI
Apply the upstream fix from pull request https://github.com/datavane/datavines/pull/579, which contains patch commit e540d6dc04e2e6ad11907fb655f3728a13e7b939. This patch modifies the TokenManager.java component to remove the hard-coded cryptographic key and implement secure key management. Users operating a rolling-release deployment should pull the latest main branch after the patch is merged. If the patch has not yet been merged into the main repository (as indicated by the vendor's lack of response), apply the changes manually from PR/579 or maintain a fork until the upstream project accepts the fix. As a temporary compensating control, restrict network access to JWT token endpoints to trusted internal networks only and implement network-level authentication proxies that validate token requests before they reach the Datavines service; note that this does not fix the underlying cryptographic weakness and should be considered a temporary measure only.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25693