CVE-2025-15598

A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made public and could be used. A comment in the source code warns users about using this feature. The vendor was contacted early about this disclosure.

CVSS v3 3.7 LOW
CVSS v2.0 2.6 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-JWT-Signature-Verification-Bypass.md	Exploit Third Party Advisory
https://vuldb.com/?ctiid.348292	Permissions Required VDB Entry
https://vuldb.com/?id.348292	Third Party Advisory VDB Entry
https://vuldb.com/?submit.707291	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:fit2cloud:sqlbot:*:*:*:*:*:*:*:*

History

05 Mar 2026, 21:52

Type	Values Removed	Values Added
References	~~() https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-JWT-Signature-Verification-Bypass.md -~~	() https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-JWT-Signature-Verification-Bypass.md - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.348292 -~~	() https://vuldb.com/?ctiid.348292 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.348292 -~~	() https://vuldb.com/?id.348292 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.707291 -~~	() https://vuldb.com/?submit.707291 - Third Party Advisory, VDB Entry
CPE		cpe:2.3:a:fit2cloud:sqlbot::::::::
First Time		Fit2cloud sqlbot Fit2cloud
Summary		(es) Se encontró una vulnerabilidad en Dataease SQLBot hasta 1.5.1. Esto afecta a la función validateEmbedded del archivo backend/apps/system/middleware/auth.py del componente Gestor de Tokens JWT. Realizar una manipulación resulta en una verificación impropia de la firma criptográfica. El ataque puede iniciarse de forma remota. Se considera que el ataque tiene una complejidad alta. Se dice que la explotabilidad es difícil. El exploit se ha hecho público y podría utilizarse. Un comentario en el código fuente advierte a los usuarios sobre el uso de esta característica. El proveedor fue contactado tempranamente sobre esta divulgación.

03 Mar 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-03 10:16

Updated : 2026-03-05 21:52

NVD link : CVE-2025-15598

Mitre link : CVE-2025-15598

CVE.ORG link : CVE-2025-15598

JSON object : View

Products Affected

fit2cloud

sqlbot

CWE

CWE-345

Insufficient Verification of Data Authenticity

CWE-347

Improper Verification of Cryptographic Signature

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.6 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2025-15598

3.7^/10

2.6^/10

Attach tags to `CVE-2025-15598`