Executive Summary

CVE-2026-3053 is a critical authentication bypass vulnerability in DataLinkDC Dinky versions up to 1.2.5. The flaw is located in the OpenAPI endpoints, specifically in the addInterceptors function of the AppConfig.java file. Due to a severe logic error, unauthenticated requests are not rejected but instead automatically elevated to Super Admin privileges (User ID 1). This means that any unauthenticated user can gain full administrative access to the system.

The vulnerability arises because the authentication interceptor incorrectly switches unauthenticated sessions to an admin user instead of denying access. This allows attackers to perform arbitrary administrative actions without any authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts on confidentiality, integrity, and availability of the affected system.

• Confidentiality: Attackers can exfiltrate sensitive SQL source code and access all administrative configurations.
• Integrity: Unauthorized users can submit malicious SQL tasks, modify job configurations, and alter administrative settings.
• Availability: Attackers can cancel all production jobs, causing a complete denial of service.

Because the vulnerability allows unauthenticated users to gain Super Admin privileges remotely, attackers can fully compromise the platform, execute arbitrary tasks, cancel production jobs, restart tasks, trigger savepoints, explain SQL queries, and export sensitive data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the OpenAPI endpoints under the /openapi/** path for unauthorized access and privilege escalation.

Specifically, attempts to access or perform administrative actions without authentication, such as submitting tasks, canceling jobs, or exporting SQL source code, indicate exploitation.

Suggested detection commands include sending unauthenticated HTTP requests to the following endpoints and checking for successful responses that should normally require authentication:

• POST request to /openapi/submitTask to test if task submission is allowed without authentication.
• GET request to /openapi/cancel to check if production jobs can be canceled without authentication.
• GET request to /openapi/exportSql to verify if sensitive SQL source code can be exfiltrated without authentication.

Additionally, monitoring logs for any unauthenticated access attempts to /openapi/** endpoints and setting up alerting or rate limiting on these paths can help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves removing the automatic privilege elevation code in the authentication interceptor that grants Super Admin access to unauthenticated users.

Specifically, modify the addInterceptors method to reject unauthenticated requests explicitly, for example by throwing an exception to stop processing such requests.

Recommended code change example:

• Use a router match on /openapi/** that checks if the user is logged in and rejects unauthenticated access by throwing a StopMatchException.

Additional hardening measures include:

• Implement API token authentication with cryptographically strong tokens.
• Apply method-level authorization annotations such as @SaCheckPermission.
• Enforce role-based access control.
• Restrict network access to the OpenAPI endpoints using firewalls or VPNs.
• Monitor and log all /openapi/** requests with alerting and rate limiting to detect and prevent exploitation.

Useful 0 Not Useful 0