Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.
Published: 2026-04-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Patch Immediately
AI Analysis

Impact

DataEase is an open‑source data visualization platform that uses a SQL endpoint allowing user‑supplied queries. A flaw in the /de2api/datasetData/previewSql route wraps the input in a subquery but does not enforce that the input is a single SELECT statement. Combined with a JDBC blocklist bypass that enables allowMultiQueries=true, an attacker can exit the subquery and execute arbitrary stacked SQL statements, including writes, against the connected database. Because the attacker must be authenticated with valid datasource credentials, successful exploitation grants full read and write access to the underlying database.

Affected Systems

DataEase instances running version 2.10.20 or earlier are vulnerable. The issue was addressed in release 2.10.21. All other versions are not affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. EPSS is not available, but the fact that it is not listed in the KEV catalog suggests no publicly known exploits at this time. The attacker must possess authenticated access to a valid datasource, which limits the risk to customers who expose such credentials. Nevertheless, those credentials can provide complete control over the underlying database, enabling data theft, modification, or destruction.

Generated by OpenCVE AI on April 17, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DataEase to version 2.10.21 or later, which removes the vulnerable endpoint.
  • If upgrading is not immediately possible, configure the JDBC connection to disable allowMultiQueries and block stacked statements.
  • Restrict the permissions of datasource credentials to the minimum required for the application, removing update privileges where possible.
  • Implement application‑level validation to ensure that only SELECT statements are accepted in the previewSql endpoint.

Generated by OpenCVE AI on April 17, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease dataease
Vendors & Products Dataease
Dataease dataease

Thu, 16 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.
Title DataEase has SQL Injection via Stacked Queries
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Dataease Dataease
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T12:38:32.676Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40900

cve-icon Vulnrichment

Updated: 2026-04-17T12:38:14.872Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T21:16:24.113

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses