SB2026041646 - Multiple vulnerabilities in DataEase
Published: April 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to insecure deserialization in the Quartz JDBC job store when deserializing job data from the qrtz_job_details table. A remote user can inject a crafted serialized JobDataMap blob via SQL injection to execute arbitrary code.
Exploitation requires chaining with a SQL injection that can modify the JOB_DATA column, and the payload is triggered when the scheduled Datasource/check_status Quartz job runs.
2) SQL injection (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary SQL statements.
The vulnerability exists due to SQL injection in the previewSql API endpoint when processing user-supplied SQL queries. A remote user can send a specially crafted SQL query to execute arbitrary SQL statements.
Exploitation requires the use of a datasource configured with allowMultiQueries=true.
3) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Mysql datasource configuration and JDBC URL validation logic when processing a crafted datasource configuration request. A remote user can submit a datasource configuration that clears the JDBC parameter blocklist and points the connection to an attacker-controlled MySQL server to disclose sensitive information.
The datasource validation process triggers a JDBC connection immediately, and exploitation relies on the MySQL LOCAL INFILE behavior to read files from the application's filesystem.
4) SQL injection (CVE-ID: CVE-2026-33207)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the /datasource/getTableField endpoint in CalciteProvider.java when handling a crafted tableName parameter. A remote user can send a specially crafted request to disclose sensitive information.
Exploitation requires authentication and can be achieved by registering a malicious table name in an API or Excel datasource so that it passes the table-name validation check.
5) SQL injection (CVE-ID: CVE-2026-33122)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the datasource update interface when processing a Base64-encoded JSON configuration containing a new table definition. A remote user can send a specially crafted update request with a malicious deTableName value to disclose sensitive information.
The issue is triggered when updating an existing API type datasource and adding a new interface definition in the configuration field.
6) SQL injection (CVE-ID: CVE-2026-33121)
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the datasource save flow when processing a crafted API-type datasource configuration. A remote user can submit a specially crafted datasource configuration with a malicious deTableName value to execute arbitrary SQL commands.
The issue is triggered when the Base64-encoded JSON configuration is decoded and the deTableName field is used to construct a CREATE TABLE statement without sanitization.
7) SQL injection (CVE-ID: CVE-2026-33084)
The vulnerability allows a remote user to perform time-based blind SQL injection.
The vulnerability exists due to SQL injection in the getFieldEnumObj endpoint when handling a POST request to /de2api/datasetData/enumValueObj with a crafted sort parameter in the JSON body. A remote user can send a specially crafted request to perform time-based blind SQL injection.
Exploitation requires a valid X-DE-TOKEN and knowledge of a target queryId and datasetGroupId.
8) SQL injection (CVE-ID: CVE-2026-33083)
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in Order2SQLObj when processing the orderDirection parameter in dataset-related endpoints. A remote user can send a specially crafted request to execute arbitrary SQL commands.
Exploitation requires a valid session token and a valid dataset structure in the request.
9) SQL injection (CVE-ID: CVE-2026-33082)
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to insufficient sanitization of user-provided input in the dataset export filter processing in WhereTree2Str when handling POST requests to /de2api/datasetTree/exportDataset with a crafted expressionTree parameter. A remote user can send a specially crafted request to execute arbitrary SQL commands.
The issue occurs when the filtering term uses like conditions during transformation from JSON input into a raw SQL query.
Remediation
Install update from vendor's website.
References
- https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466
- https://github.com/dataease/dataease
- https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx
- https://github.com/dataease/dataease/security/advisories/GHSA-944x-93jf-h3rx
- https://github.com/dataease/dataease/security/advisories/GHSA-pgh3-rgw3-xjmm
- https://github.com/advisories/GHSA-pgh3-rgw3-xjmm
- https://github.com/dataease/dataease/security/advisories/GHSA-28vg-3hv7-w92f
- https://github.com/advisories/GHSA-28vg-3hv7-w92f
- https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5
- https://github.com/advisories/GHSA-fg4m-q7ch-jqv5
- https://github.com/dataease/dataease/security/advisories/GHSA-r897-r9q8-3p2x
- https://github.com/dataease/dataease/security/advisories/GHSA-f443-95cf-m837
- https://github.com/advisories/GHSA-f443-95cf-m837
- https://github.com/dataease/dataease/security/advisories/GHSA-xxpw-2c8q-g693
- https://github.com/advisories/GHSA-xxpw-2c8q-g693