SB2026061830 - Multiple vulnerabilities in DataEase
Published: June 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-49867)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser session.
The vulnerability exists due to improper neutralization of script in the template static-resource handling when processing template save or import requests containing crafted SVG content. A remote user can submit a crafted SVG file through a template or import flow to execute arbitrary JavaScript in the victim's browser session.
User interaction is required to open or otherwise load the generated SVG resource served from the application's same-origin public static-resource path.
2) SQL injection (CVE-ID: CVE-2026-45535)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to SQL injection in the handleVariableDefaultValue() method of SqlparserUtils.java when processing default values for SQL variables in SQL-type datasets. A remote user can create or edit a crafted dataset with a malicious defaultValue to execute arbitrary SQL queries and disclose sensitive information.
The malicious payload is stored when the dataset is saved and is triggered when a user with dataset read permission accesses the dataset.
3) Improper access control (CVE-ID: CVE-2026-45534)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper access control in the Redshift datasource connection handling when processing a crafted JDBC connection request that triggers loading of a Redshift JDBC configuration file from the temporary directory. A remote attacker can send a specially crafted request to execute arbitrary code.
Exploitation requires a malicious rsjdbc.ini file to be present in the directory specified by System.getProperty("java.io.tmpdir").
4) Path traversal (CVE-ID: CVE-2026-45533)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to delete arbitrary directories on the server.
The vulnerability exists due to path traversal in the bulk delete API endpoint when processing user-supplied directory paths. A remote user can inject path traversal sequences into a crafted request to delete arbitrary directories on the server.
The issue can be exploited recursively through the API.
5) Path traversal (CVE-ID: CVE-2026-45532)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in StaticResourceServer#findResourceAsBase64 and StaticResourceUtils#getImgFileToBase64 when handling crafted resource path input on Windows systems. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue occurs because backslash path separators are not properly filtered on Windows.
6) Path traversal (CVE-ID: CVE-2026-45419)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to write arbitrary files.
The vulnerability exists due to improper limitation of a pathname to a restricted directory in TemplateManageService#save and StaticResourceServer#saveFilesToServe when handling requests to /de2api/templateManage/save with a controllable staticResource parameter. A remote user can send a specially crafted request to write arbitrary files.
The file name and file content are fully controllable through the staticResource parameter, and the file content is transmitted in base64 encoding.
7) Improper Authentication (CVE-ID: CVE-2026-46684)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to improper authentication in TokenFilter and CommunityTokenFilter when handling requests to authenticated functionality and datasource operations. A remote attacker can forge a sufficiently long JWT to access protected endpoints and supply a crafted Redshift JDBC URL to write a malicious script that is later executed to execute arbitrary commands.
This issue affects the enterprise edition when license validation is enabled, because JWT payload fields are accepted without signature verification.
8) SQL injection (CVE-ID: CVE-2026-45417)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to SQL injection in io.dataease.datasource.provider.CalciteProvider#getTablesSql when handling crafted datasource configuration and schema values during datasource validation or table retrieval. A remote user can send a specially crafted request to execute arbitrary SQL queries.
The issue can be triggered through the /datasource/validate, /datasource/save, and /datasource/getTables paths, and in some cases injected query results are returned directly to the frontend.
9) Improper access control (CVE-ID: CVE-2026-50030)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the /de2api/datasetData/previewSql endpoint and SQL preview processing path when handling preview requests with caller-controlled Base64-encoded SQL, datasourceId, and isCross=true. A remote attacker can send a specially crafted preview request to disclose sensitive information.
The issue affects cross-datasource preview mode because the authorization check returns true unconditionally, and the backend executes the supplied SQL against a reachable target datasource and returns query rows in the preview response.
10) Improper access control (CVE-ID: CVE-2026-50124)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to improper access control in the Excel file upload API, H2 JDBC handling, and SQL dataset query execution path when uploading a crafted zip file and creating an H2 data source that references it via the zip protocol. A remote user can upload a malicious H2 database in a zip file, create a crafted JDBC URL, and execute a query that invokes a precompiled Java alias to execute arbitrary code on the server.
The issue requires authentication and relies on chaining the file upload feature with direct query execution for single-datasource queries.
11) SQL injection (CVE-ID: CVE-2026-45320)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to inject arbitrary SQL and disclose sensitive information.
The vulnerability exists due to SQL injection in SqlparserUtils.transFilter() when processing user-supplied dashboard filter values for SqlVariable placeholders in dataset SQL statements. A remote user can send a specially crafted POST request with a malicious filter value to inject arbitrary SQL and disclose sensitive information.
The target dashboard only needs to be visible to the current user.
12) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-53729)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the /exportCenter/download/{id} endpoint when handling requests with a manipulated task ID parameter. A remote attacker can request a crafted task ID to disclose sensitive information.
The endpoint is included in the authentication whitelist, allowing access without passing TokenFilter or SsoFilter.
Remediation
Install update from vendor's website.
References
- https://github.com/dataease/dataease/security/advisories/GHSA-jqxj-h53x-mpvf
- https://github.com/dataease/dataease
- https://github.com/dataease/dataease/security/advisories/GHSA-pv23-p64m-4pxf
- https://github.com/dataease/dataease/security/advisories/GHSA-cv4c-8rpv-2x97
- https://github.com/dataease/dataease/security/advisories/GHSA-mwr5-hw6p-cqmg
- https://github.com/dataease/dataease/security/advisories/GHSA-2mqc-w4hm-f3p9
- https://github.com/dataease/dataease/security/advisories/GHSA-83fh-fgh3-g9f9
- https://github.com/dataease/dataease/security/advisories/GHSA-gp6v-f7mm-458v
- https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r
- https://github.com/dataease/dataease/security/advisories/GHSA-rg6c-r9mv-39fr
- https://github.com/dataease/dataease/security/advisories/GHSA-j4v5-5gcx-cvfc
- https://github.com/dataease/dataease/security/advisories/GHSA-cjmg-jqmc-xj5v
- https://github.com/dataease/dataease/security/advisories/GHSA-8vp9-9hx4-6458
- https://github.com/dataease/dataease/security/advisories/GHSA-9423-78gr-xjj5