Improper access control in DataEase - CVE-2026-50124
Published: June 18, 2026
Vulnerability identifier: #VU134823
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-50124
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to improper access control in the Excel file upload API, H2 JDBC handling, and SQL dataset query execution path when uploading a crafted zip file and creating an H2 data source that references it via the zip protocol. A remote user can upload a malicious H2 database in a zip file, create a crafted JDBC URL, and execute a query that invokes a precompiled Java alias to execute arbitrary code on the server.
The issue requires authentication and relies on chaining the file upload feature with direct query execution for single-datasource queries.
How to mitigate CVE-2026-50124
Install security update from vendor's website.