Description
DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.
Published: 2026-03-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via JDBC parameter injection
Action: Immediate Patch
AI Analysis

Impact

The flaw stems from the tool's improper handling of string normalization when validating JDBC URLs. Java's default locale conversion, especially Turkish, alters the lowercase letter i to a dotted capital I (İ). The application filters out risky parameters using this locale‑dependent conversion, while the underlying H2 engine normalizes URLs with the English locale. This mismatch lets an attacker craft parameters—such as iNIT—that evade the filter but are interpreted by H2 as the malicious INIT command, enabling arbitrary code execution through JDBC.

Affected Systems

The vulnerability affects all instances of the open‑source data visualization tool named DataEase. Versions up to and including 2.10.19 are vulnerable. The defect was addressed in version 2.10.20, which employs locale‑aware string processing to align validation with H2's expectations.

Risk and Exploitability

The CVSS score of 7.7 reflects the severity of the RCE potential. The EPSS score of less than 1% indicates that, although the flaw is serious, exploit attempts are currently rare. The issue is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Exploitation requires the runtime JVM to operate under a Turkish locale; an attacker who can influence the server’s locale setting or deliver the payload via a remote Java application can bypass the validation and execute arbitrary SQL commands.

Generated by OpenCVE AI on March 23, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DataEase to version 2.10.20 or later

Generated by OpenCVE AI on March 23, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Fri, 20 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.
Title DataEase is Vulnerable to H2 JDBC RCE Bypass
Weaknesses CWE-178
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T16:28:28.201Z

Reserved: 2026-03-17T00:05:53.282Z

Link: CVE-2026-32939

cve-icon Vulnrichment

Updated: 2026-03-20T16:28:22.409Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T04:16:49.150

Modified: 2026-03-23T19:25:44.773

Link: CVE-2026-32939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:29Z

Weaknesses