TROYANOSYVIRUS
Back to CVEs

CVE-2026-7018

MEDIUM
5.6

Description

A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.

CVE Details

CVSS v3.1 Score5.6
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionNONE
Published4/26/2026
Last Modified4/29/2026
Sourcenvd
Honeypot Sightings0

Weaknesses (CWE)

CWE-320CWE-321

References

https://github.com/datavane/datavines/(cna@vuldb.com)
https://github.com/datavane/datavines/issues/580(cna@vuldb.com)
https://github.com/datavane/datavines/issues/580#issue-4206839649(cna@vuldb.com)
https://github.com/datavane/datavines/pull/579(cna@vuldb.com)
https://github.com/datavane/datavines/pull/579/changes/e540d6dc04e2e6ad11907fb655f3728a13e7b939(cna@vuldb.com)
https://vuldb.com/submit/797305(cna@vuldb.com)
https://vuldb.com/vuln/359597(cna@vuldb.com)
https://vuldb.com/vuln/359597/cti(cna@vuldb.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.