Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.
Published: 2026-04-16
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read via authenticated database access
Action: Patch Now
AI Analysis

Impact

DataEase versions 2.10.20 and earlier have a JDBC parameter blocklist bypass that allows an authenticated user to set the illegalParameters field to an empty list during datasource configuration. This removes the blocklist that normally protects against dangerous JDBC options such as allowLoadLocalInfile=true. When an attacker supplies this option and points the datasource to a malicious MySQL server, the MySQL LOAD DATA LOCAL INFILE protocol can be used to read arbitrary files from the DataEase host, including environment variables and database credentials. The vulnerability is a classic example of improper restriction of operations and is identified as CWE‑183.

Affected Systems

The affected product is DataEase, an open‑source data visualization and analytics platform. All releases up to and including 2.10.20 are impacted; the fix was released in version 2.10.21.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity and the issue is not listed in CISA's KEV catalog. No EPSS information is available. Exploitation requires an authenticated user with permission to create or modify datasources; the likely attack vector is via the application’s datasource configuration interface. Once the blocklist is bypassed, the attacker can read arbitrary files, exposing sensitive information and potentially further compromising the system.

Generated by OpenCVE AI on April 17, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DataEase to version 2.10.21 or later
  • Verify that datasource configurations enforce the JDBC blocklist and prevent the illegalParameters setter from being called with arbitrary values
  • Configure the MySQL server to disable or restrict the LOAD DATA LOCAL INFILE feature so that even if the option is passed, the server will reject the request

Generated by OpenCVE AI on April 17, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.
Title DataEase has an Arbitrary File Read Vulnerability
Weaknesses CWE-183
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T02:43:14.720Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40899

cve-icon Vulnrichment

Updated: 2026-04-18T02:43:08.185Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T20:16:38.957

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses