CVE-2026-11618
Description
DTStack Taier versions prior to 1.4.0 are vulnerable to pre-authentication RCE due to an authentication bypass and JDBC URL injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DTStack Taier versions prior to 1.4.0 are vulnerable to pre-authentication RCE due to an authentication bypass and JDBC URL injection.
Vulnerability
A vulnerability exists in DTStack Taier up to version 1.4.0, specifically within the LoginInterceptor.java file and the Source Connection Test Endpoint. The LoginInterceptor fails to validate token signatures, allowing any non-empty token to bypass authentication. Additionally, the Data Source Connection Test endpoint does not sanitize JDBC URLs, and an outdated PostgreSQL JDBC driver (version 42.2.2) is used, which is vulnerable to CVE-2022-21724, enabling arbitrary class instantiation via the socketFactory parameter [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by performing three HTTP requests. First, they bypass authentication by sending a request with a Cookie: token=anything. Then, they can inject a malicious JDBC URL containing a socketFactory parameter pointing to a remote XML file. This allows the attacker to execute arbitrary commands on the server with root privileges, requiring no credentials or user interaction [1].
Impact
Successful exploitation of this vulnerability allows an unauthenticated remote attacker to achieve Remote Code Execution (RCE) on the server with root privileges. This is achieved through an authentication bypass followed by a JDBC URL injection, leading to the execution of arbitrary commands [1].
Mitigation
This vulnerability is addressed in the commit f95389e7f74acec42bcee079a616aaa06f9551d2, which updates the PostgreSQL JDBC driver version to 42.2.25 and modifies the LoginInterceptor to properly validate tokens [2]. Users should update to a patched version of DTStack Taier. No specific fixed version number is provided, but the commit indicates a remediation [1, 2].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1f95389e7f74a[feat_1194][security][fix Pre-Auth Remote Code Execution via Authentication Bypass + JDBC URL Injection #1194] (#1197)
4 files changed · +32 −2
taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java+8 −0 modified@@ -21,19 +21,25 @@ import com.dtstack.taier.common.constant.CommonConstant; import com.dtstack.taier.common.exception.ErrorCode; import com.dtstack.taier.common.exception.TaierDefineException; +import com.dtstack.taier.develop.service.user.TokenService; import com.dtstack.taier.develop.utils.CookieUtil; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; +import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class LoginInterceptor extends HandlerInterceptorAdapter { private static Logger LOGGER = LoggerFactory.getLogger(LoginInterceptor.class); + + @Resource + private TokenService tokenService; + @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) { String requestURI = request.getRequestURI(); @@ -47,6 +53,8 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons if (StringUtils.isBlank(token)) { throw new TaierDefineException(ErrorCode.NOT_LOGIN); } + tokenService.decryption(token); + return true; } }
taier-datasource/taier-datasource-plugin/taier-datasource-plugin-libra/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <jar.package.name>libra</jar.package.name> <jar.name>Libra</jar.name> - <postgresql.version>42.2.2</postgresql.version> + <postgresql.version>42.2.25</postgresql.version> </properties> <dependencies>
taier-datasource/taier-datasource-plugin/taier-datasource-plugin-postgresql/pom.xml+1 −1 modified@@ -18,7 +18,7 @@ <jar.package.name>postgresql</jar.package.name> <jar.name>Postgresql</jar.name> - <postgresql.version>42.2.2</postgresql.version> + <postgresql.version>42.2.25</postgresql.version> </properties> <dependencies>
taier-datasource/taier-datasource-plugin/taier-datasource-plugin-rdbms/src/main/java/com/dtstack/taier/datasource/plugin/rdbms/ConnFactory.java+22 −0 modified@@ -40,8 +40,11 @@ import java.sql.Connection; import java.sql.DriverManager; import java.sql.Statement; +import java.util.Arrays; +import java.util.HashSet; import java.util.List; import java.util.Properties; +import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutorService; import java.util.concurrent.LinkedBlockingQueue; @@ -75,6 +78,14 @@ public class ConnFactory { private static final String CP_POOL_KEY = "url:%s,username:%s,password:%s,properties:%s"; + /** + * filter with db property + */ + private static final Set<String> DANGEROUS_PARAMS = new HashSet<>(Arrays.asList( + "autoDeserialize", "allowLoadLocalInfile", "allowUrlInLocalInfile", + "queryInterceptors", "socketFactory", "socketFactoryArg" + )); + /** * 线程池 - 用于部分数据源获取连接超时处理 */ @@ -157,6 +168,17 @@ protected Connection getSimpleConn(ISourceDTO source) throws Exception { init(); DriverManager.setLoginTimeout(30); log.info("datasource connected, url : {}, userName : {}, kerberosConfig : {}", rdbmsSourceDTO.getUrl(), rdbmsSourceDTO.getUsername(), rdbmsSourceDTO.getKerberosConfig()); + // property check + String urlLower = rdbmsSourceDTO.getUrl().toLowerCase(); + for (String dangerousParam : DANGEROUS_PARAMS) { + if (urlLower.contains("?" + dangerousParam + "=") || + urlLower.contains("&" + dangerousParam + "=") || + urlLower.contains("?" + dangerousParam + "%3d") || + urlLower.endsWith("?" + dangerousParam)) { + throw new SecurityException("Dangerous JDBC parameter detected: " + dangerousParam); + } + } + return DriverManager.getConnection(rdbmsSourceDTO.getUrl(), PropertiesUtil.convertToProp(rdbmsSourceDTO)); }
Vulnerability mechanics
Root cause
"The LoginInterceptor fails to validate the token, and the connection factory does not sanitize JDBC URL parameters, allowing for authentication bypass and remote code execution."
Attack vector
An unauthenticated attacker can bypass authentication by sending any non-empty token in the 'token' cookie [ref_id=1]. This allows the attacker to reach the data source connection test endpoint. By injecting a malicious JDBC URL with parameters like 'socketFactory' and 'socketFactoryArg', the attacker can trigger the execution of arbitrary commands on the server [ref_id=1]. The attack may be performed from remote [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L].
Affected code
The vulnerability exists in the `preHandle` method of `LoginInterceptor.java` within the `taier-data-develop` module, which previously lacked proper token validation. The `ConnFactory.java` file in the `taier-datasource-plugin-rdbms` module is also affected, as it directly uses user-supplied JDBC URLs without sanitization, particularly in the `getSimpleConn` method.
What the fix does
The patch addresses the vulnerability by enhancing the LoginInterceptor to validate the token using `tokenService.decryption(token)` instead of just checking if it's blank [patch_id=5292146]. Additionally, the `ConnFactory` now filters dangerous JDBC parameters, such as 'socketFactory' and 'socketFactoryArg', by checking against a predefined set of unsafe values before establishing a connection [patch_id=5292146]. The PostgreSQL JDBC driver version was also updated to a patched version [patch_id=5292146].
Preconditions
- authNo authentication is required to exploit the vulnerability.
- networkThe attack can be performed remotely.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.