CVE-2026-32137

Received Received - Intake

SQL Injection in Dataease /de2api/datasource/previewData Endpoint

Publication date: 2026-03-12

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-12

Last Modified

2026-03-13

Generated

2026-06-16

AI Q&A

2026-03-12

EPSS Evaluated

2026-06-15

NVD

CVE-2026-32137

EUVD

EUVD-2026-11647

Affected Vendors & Products

Vendor	Product	Version / Range
dataease	dataease	to 2.10.20 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32137 is a high-severity SQL Injection vulnerability in DataEase versions prior to 2.10.20. The issue occurs because the 'table' parameter in the POST endpoint /de2api/datasource/previewData is directly concatenated into an SQL query string without any filtering or parameterization."}, {'type': 'paragraph', 'content': "Since the 'table' parameter is user-controlled, an attacker can craft malicious table names containing SQL injection payloads. This allows the attacker to inject arbitrary SQL code into the query."}, {'type': 'paragraph', 'content': 'For example, an attacker can send a specially crafted request that injects a UNION SELECT statement to retrieve sensitive database information such as the database user, current database name, version, and compile OS.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in version 2.10.20 by presumably adding proper input validation or parameterization.'}] [1]

Impact Analysis

This SQL Injection vulnerability can have severe impacts including unauthorized access to sensitive database information.

An attacker exploiting this vulnerability can execute arbitrary SQL commands, potentially leading to data leakage, data corruption, or unauthorized data manipulation.

Because the vulnerability allows extraction of database details and possibly other sensitive data, it can compromise the confidentiality and integrity of your data.

The vulnerability has a high CVSS score of 9.3, indicating it is critical and can be exploited remotely without authentication.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the SQL injection point in the POST endpoint `/de2api/datasource/previewData` using crafted payloads in the `table` parameter.'}, {'type': 'paragraph', 'content': 'A detection method involves sending a POST request with a malicious payload that tries to inject SQL code, such as a UNION SELECT statement, to observe if the system returns database information or behaves unexpectedly.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST https://[target]/de2api/datasource/previewData -H \'Content-Type: application/json\' -d \'{"table": "area` WHERE 1=2 UNION SELECT user(),database(),version(),@@version_compile_os-- ", "id": "985188400292302848"}\''}, {'type': 'paragraph', 'content': 'If the response contains database user, database name, version, or OS information, it indicates the presence of the SQL injection vulnerability.'}] [1]

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade DataEase to version 2.10.20 or later, where the vulnerability has been fixed.

This fix presumably includes proper input validation or parameterization of the `table` parameter to prevent SQL injection.

Until the upgrade can be performed, restrict access to the vulnerable endpoint `/de2api/datasource/previewData` to trusted users or networks to reduce the risk of exploitation.

Hi! I’m here to help you understand CVE-2026-32137. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-32137

SQL Injection in Dataease /de2api/datasource/previewData Endpoint

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart