CVE-2026-7018

Description

A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.

PUBLISHED Reserved 2026-04-25 | Published 2026-04-26 | Updated 2026-04-27 | Assigner VulDB

Problem types

Use of Hard-coded Cryptographic Key

Key Management Error

Product status

Timeline

Credits

anch0r (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/359597 (VDB-359597 | Datavane Datavines JWT Token TokenManager.java hard-coded key) vdb-entry technical-description

vuldb.com/vuln/359597/cti (VDB-359597 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/797305 (Submit #797305 | datavane datavanes <= 1.0.0-SNAPSHOT Improper Authentication) third-party-advisory

github.com/datavane/datavines/issues/580 issue-tracking

github.com/datavane/datavines/pull/579 issue-tracking patch

github.com/datavane/datavines/issues/580 exploit issue-tracking

github.com/...anges/e540d6dc04e2e6ad11907fb655f3728a13e7b939 issue-tracking patch

github.com/datavane/datavines/ product

cve.org (CVE-2026-7018)

nvd.nist.gov (CVE-2026-7018)

Download JSON