CVE-2026-33207
SQL Injection in DataEase /datasource/getTableField Endpoint
Publication date: 2026-04-16
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DataEase versions 2.10.20 and below, specifically in the /datasource/getTableField endpoint. It is a SQL injection vulnerability caused by the getTableFiledSql method in CalciteProvider.java, which directly incorporates the tableName parameter into SQL queries without proper parameterization or sanitization.
Although the system validates that the table name exists in the datasource, an attacker can bypass this validation by registering an API datasource with a malicious table name. This malicious table name is then returned by getTables and passes the validation check, allowing an authenticated attacker to execute arbitrary SQL commands.
This enables error-based extraction of sensitive database information. The vulnerability has been fixed in version 2.10.21.
How can this vulnerability impact me? :
An attacker who is authenticated can exploit this vulnerability to execute arbitrary SQL commands on the database.
This can lead to unauthorized access to sensitive database information through error-based extraction techniques.
Such unauthorized access can compromise the confidentiality and integrity of your data, potentially leading to data breaches or manipulation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade DataEase to version 2.10.21 or later, where the SQL injection issue has been fixed.
Additionally, restrict authenticated user permissions to limit the ability to register malicious API datasources, and monitor for suspicious activity involving the /datasource/getTableField endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Since the vulnerability enables unauthorized access to sensitive data through SQL injection, organizations using affected versions of DataEase may face increased risk of data breaches, which can result in violations of these standards and regulations.