CVE-2026-33207

Received Received - Intake

SQL Injection in DataEase /datasource/getTableField Endpoint

Publication date: 2026-04-16

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-16

Last Modified

2026-04-20

Generated

2026-06-16

AI Q&A

2026-04-16

EPSS Evaluated

2026-06-15

NVD

CVE-2026-33207

EUVD

EUVD-2026-23291

Affected Vendors & Products

Vendor	Product	Version / Range
dataease	dataease	to 2.10.21 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability exists in DataEase versions 2.10.20 and below, specifically in the /datasource/getTableField endpoint. It is a SQL injection vulnerability caused by the getTableFiledSql method in CalciteProvider.java, which directly incorporates the tableName parameter into SQL queries without proper parameterization or sanitization.

Although the system validates that the table name exists in the datasource, an attacker can bypass this validation by registering an API datasource with a malicious table name. This malicious table name is then returned by getTables and passes the validation check, allowing an authenticated attacker to execute arbitrary SQL commands.

This enables error-based extraction of sensitive database information. The vulnerability has been fixed in version 2.10.21.

Impact Analysis

An attacker who is authenticated can exploit this vulnerability to execute arbitrary SQL commands on the database.

This can lead to unauthorized access to sensitive database information through error-based extraction techniques.

Such unauthorized access can compromise the confidentiality and integrity of your data, potentially leading to data breaches or manipulation.

Mitigation Strategies

To mitigate this vulnerability, upgrade DataEase to version 2.10.21 or later, where the SQL injection issue has been fixed.

Additionally, restrict authenticated user permissions to limit the ability to register malicious API datasources, and monitor for suspicious activity involving the /datasource/getTableField endpoint.

Compliance Impact

The vulnerability allows an authenticated attacker to execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Since the vulnerability enables unauthorized access to sensitive data through SQL injection, organizations using affected versions of DataEase may face increased risk of data breaches, which can result in violations of these standards and regulations.

Hi! I’m here to help you understand CVE-2026-33207. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-33207

SQL Injection in DataEase /datasource/getTableField Endpoint

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart