Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-7018

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-26 Apr, 2026 | 03:30
Updated At-27 Apr, 2026 | 17:02
Rejected At-
Credits

Datavane Datavines JWT Token TokenManager.java hard-coded key

A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:26 Apr, 2026 | 03:30
Updated At:27 Apr, 2026 | 17:02
Rejected At:
â–¼CVE Numbering Authority (CNA)
Datavane Datavines JWT Token TokenManager.java hard-coded key

A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.

Affected Products
Vendor
Datavane
Product
Datavines
Modules
  • JWT Token Handler
Versions
Affected
  • 13607645e14a4982468cfdbcf75c85cde63bae71
Problem Types
TypeCWE IDDescription
CWECWE-321Use of Hard-coded Cryptographic Key
CWECWE-320Key Management Error
Type: CWE
CWE ID: CWE-321
Description: Use of Hard-coded Cryptographic Key
Type: CWE
CWE ID: CWE-320
Description: Key Management Error
Metrics
VersionBase scoreBase severityVector
4.06.3MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.15.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
3.05.6MEDIUM
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
2.05.1N/A
AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Version: 3.0
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Version: 2.0
Base score: 5.1
Base severity: N/A
Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
anch0r (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-04-25 00:00:00
VulDB entry created2026-04-25 02:00:00
VulDB entry last update2026-04-25 12:37:25
Event: Advisory disclosed
Date: 2026-04-25 00:00:00
Event: VulDB entry created
Date: 2026-04-25 02:00:00
Event: VulDB entry last update
Date: 2026-04-25 12:37:25
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/359597
vdb-entry
technical-description
https://vuldb.com/vuln/359597/cti
signature
permissions-required
https://vuldb.com/submit/797305
third-party-advisory
https://github.com/datavane/datavines/issues/580
issue-tracking
https://github.com/datavane/datavines/pull/579
issue-tracking
patch
https://github.com/datavane/datavines/issues/580#issue-4206839649
exploit
issue-tracking
https://github.com/datavane/datavines/pull/579/changes/e540d6dc04e2e6ad11907fb655f3728a13e7b939
issue-tracking
patch
https://github.com/datavane/datavines/
product
Hyperlink: https://vuldb.com/vuln/359597
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/359597/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/submit/797305
Resource:
third-party-advisory
Hyperlink: https://github.com/datavane/datavines/issues/580
Resource:
issue-tracking
Hyperlink: https://github.com/datavane/datavines/pull/579
Resource:
issue-tracking
patch
Hyperlink: https://github.com/datavane/datavines/issues/580#issue-4206839649
Resource:
exploit
issue-tracking
Hyperlink: https://github.com/datavane/datavines/pull/579/changes/e540d6dc04e2e6ad11907fb655f3728a13e7b939
Resource:
issue-tracking
patch
Hyperlink: https://github.com/datavane/datavines/
Resource:
product
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:26 Apr, 2026 | 04:16
Updated At:26 Apr, 2026 | 04:16

A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.3MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Secondary2.05.1MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
Type: Secondary
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 5.1
Base severity: MEDIUM
Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-320Primarycna@vuldb.com
CWE-321Primarycna@vuldb.com
CWE ID: CWE-320
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-321
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/datavane/datavines/cna@vuldb.com
N/A
https://github.com/datavane/datavines/issues/580cna@vuldb.com
N/A
https://github.com/datavane/datavines/issues/580#issue-4206839649cna@vuldb.com
N/A
https://github.com/datavane/datavines/pull/579cna@vuldb.com
N/A
https://github.com/datavane/datavines/pull/579/changes/e540d6dc04e2e6ad11907fb655f3728a13e7b939cna@vuldb.com
N/A
https://vuldb.com/submit/797305cna@vuldb.com
N/A
https://vuldb.com/vuln/359597cna@vuldb.com
N/A
https://vuldb.com/vuln/359597/cticna@vuldb.com
N/A
Hyperlink: https://github.com/datavane/datavines/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/datavane/datavines/issues/580
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/datavane/datavines/issues/580#issue-4206839649
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/datavane/datavines/pull/579
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/datavane/datavines/pull/579/changes/e540d6dc04e2e6ad11907fb655f3728a13e7b939
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/797305
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/359597
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/359597/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2025-12615
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.3||LOW
EPSS-0.06% / 18.31%
||
7 Day CHG~0.00%
Published-03 Nov, 2025 | 03:32
Updated-24 Feb, 2026 | 06:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul News Portal settings.py hard-coded key

A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRET_KEY leads to use of hard-coded cryptographic key . The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-news_portalNews Portal
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CVE-2025-11290
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.04% / 12.64%
||
7 Day CHG-0.00%
Published-05 Oct, 2025 | 11:32
Updated-24 Feb, 2026 | 06:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRMEB JWT HMAC Secret hard-coded key

A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-crmebn/a
Product-crmebCRMEB
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CVE-2026-7306
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.06% / 18.53%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 19:30
Updated-30 Apr, 2026 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-Xuxueli
Product-xxl-job
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CVE-2024-1920
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.6||MEDIUM
EPSS-0.19% / 40.55%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 13:31
Updated-18 Dec, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
osuuu LightPicture TokenVerify.php handle hard-coded key

A vulnerability, which was classified as critical, has been found in osuuu LightPicture up to 1.2.2. This issue affects the function handle of the file /app/middleware/TokenVerify.php. The manipulation leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254855.

Action-Not Available
Vendor-osuuuosuuu
Product-lightpictureLightPicture
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CVE-2025-13948
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.04% / 13.54%
||
7 Day CHG+0.01%
Published-03 Dec, 2025 | 14:32
Updated-04 Dec, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
opsre go-ldap-admin JWT docker-compose.yaml hard-coded key

A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded cryptographic key . The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-opsre
Product-go-ldap-admin
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CVE-2025-13877
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 15.65%
||
7 Day CHG+0.01%
Published-02 Dec, 2025 | 16:02
Updated-02 Dec, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nocobase JWT Service jwt-service.ts hard-coded key

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-n/a
Product-nocobase
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
Details not found