SB2026061831 - Multiple vulnerabilities in DataEase

Description

This security bulletin contains information about 9 vulnerabilities.

1) Use of hard-coded credentials (CVE-ID: N/A)

CWE-ID: CWE-798 - Use of Hard-coded Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to access backend resources as the share creator.

The vulnerability exists due to use of a hardcoded cryptographic key in ShareSecretManage and TokenFilter when verifying linkToken values for passwordless shares. A remote attacker can forge a JWT signed with the hardcoded default key to access backend resources as the share creator.

Exploitation requires obtaining a passwordless share corresponding to a valid uid and resourceId pair.

2) Cross-site scripting (CVE-ID: CVE-2026-55647)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting in the dashboard text components when rendering stored component content with Vue v-html. A remote user can inject crafted HTML with executable event handlers into component data to execute arbitrary script code in a victim's browser.

The issue affects the normal text component and the scrolling text component, and stored payloads can be triggered when another user or an unauthenticated shared-link visitor views the dashboard.

3) SQL injection (CVE-ID: CVE-2026-55635)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information and possibly modify data.

The vulnerability exists due to SQL injection in Quota2SQLObj.getYWheres() when processing quota or Y-axis filter values in chart definitions or chart data requests. A remote user can submit a specially crafted filter value to disclose sensitive information and possibly modify data.

Exploitation requires the ability to create or modify chart definitions, or to submit chart data requests containing quota filters.

4) Input validation error (CVE-ID: CVE-2026-55633)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in FontManage#saveFile when handling file uploads. A remote user can upload a specially crafted zip archive disguised with a .ttf extension to execute arbitrary code.

Exploitation requires access to the upload endpoint and relies on the uploaded file being written to disk without content inspection.

5) Path traversal (CVE-ID: CVE-2026-55631)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to path traversal in the font management module when deleting a font record with a previously stored user-controlled fileTransName value. A remote user can create a font record with a crafted fileTransName and then delete that record to delete arbitrary files.

Exploitation requires access to the font management APIs and is limited to writable files within the application container.

6) Input validation error (CVE-ID: CVE-2026-53751)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in the JDBC URL validation logic for H2 database connections when handling a crafted H2 JDBC connection string. A remote user can send a specially crafted request containing Unicode-altered blacklisted parameters to execute arbitrary code.

Exploitation requires a valid DE token.

7) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-53730)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the /de2api/datasetData/previewSql endpoint when handling crafted API requests with datasourceId=-1. A remote user can send a specially crafted request to disclose sensitive information.

The issue allows execution of arbitrary SQL statements against the built-in engine database.

8) Improper access control (CVE-ID: CVE-2026-50530)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the POST /de2api/chartData/getData endpoint when handling share-mode chart data requests. A remote user can send a specially crafted request with a valid share link token while tampering with tableId and field identifiers to disclose sensitive information.

Exploitation requires a valid share link token and keeping the legitimate sceneId unchanged while referencing identifiers from an unshared dataset.

9) Improper access control (CVE-ID: CVE-2026-50529)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass share protection and access protected shared resources.

The vulnerability exists due to improper access control in the POST /de2api/share/proxyInfo endpoint when handling share password or ticket validation requests. A remote attacker can send a request with a protected share UUID and invalid or empty password or ticket values to bypass share protection and access protected shared resources.

The issue occurs because the X-DE-LINK-TOKEN is generated and returned before password or ticket validation is completed.

Remediation

Install update from vendor's website.

References

• https://github.com/dataease/dataease/security/advisories/GHSA-7cpg-f4cj-7pgm
• https://github.com/dataease/dataease
• https://github.com/dataease/dataease/security/advisories/GHSA-4v63-24fg-pfg7
• https://github.com/dataease/dataease/security/advisories/GHSA-p758-rx6v-hc8g
• https://github.com/dataease/dataease/security/advisories/GHSA-8x36-774q-pwqg
• https://github.com/dataease/dataease/commit/a7bffa795cb0ca041dce0effe68479cf3bf13db1
• https://github.com/dataease/dataease/security/advisories/GHSA-r99p-w8fc-93g6
• https://github.com/dataease/dataease/security/advisories/GHSA-xjhm-r8p8-c2cg
• https://github.com/dataease/dataease/commit/304104d70e27a97f8909981f56209edc117dc285
• https://github.com/dataease/dataease/security/advisories/GHSA-2jmq-vffm-4qmj
• https://github.com/dataease/dataease/security/advisories/GHSA-qcf4-345v-6vg9
• https://github.com/dataease/dataease/security/advisories/GHSA-7287-qqj9-phr6