Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.
Published: 2026-04-16
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: SQL injection enabling execution of arbitrary queries and extraction of sensitive data
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the /datasource/getTableField endpoint where the tableName parameter is directly incorporated into a SQL statement without parameterization or sanitization. An attacker can craft a malicious datasource name that passes the validation check, leading to execution of arbitrary SQL commands and extraction of confidential information from the database. This represents a significant confidentiality threat. The weakness is an unchecked input used in query construction, corresponding to CWE‑89.

Affected Systems

DataEase data visualization and analytics platform, versions 2.10.20 and earlier. The product is identified as DataEase by the CNA. No other vendor or product versions are affected.

Risk and Exploitability

The CVSS score of 8.6 denotes a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated to the application, but the attacker can bypass the normal table name validation by first registering a malicious API datasource. Once the datasource is registered, a valid authenticated session can invoke the getTableField endpoint and run arbitrary SQL. The attack vector is therefore an authorized user’s request that has been tampered with to include malicious content.

Generated by OpenCVE AI on April 16, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply upgrade to DataEase version 2.10.21 or later to address the SQL injection vulnerability.
  • Restrict API datasource creation and access to authorized users only to prevent malicious datasource registration.
  • Monitor system logs for unexpected getTableField requests and investigate any unauthorized data extraction attempts.

Generated by OpenCVE AI on April 16, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 16 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.
Title DataEase SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T19:37:36.197Z

Reserved: 2026-03-17T23:23:58.312Z

Link: CVE-2026-33207

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-16T20:16:38.797

Modified: 2026-04-16T20:16:38.797

Link: CVE-2026-33207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T21:00:10Z

Weaknesses