CVE-2026-40900
SQL Injection in DataEase Allows Arbitrary Database Modification
Publication date: 2026-04-16
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DataEase versions 2.10.20 and below, specifically in the /de2api/datasetData/previewSql endpoint. It is a SQL injection flaw where user-supplied SQL is wrapped in a subquery without validating that the input is a single SELECT statement.
Because of a JDBC blocklist bypass that enables allowMultiQueries=true, an attacker can break out of the subquery and execute multiple stacked SQL statements, including UPDATE and other write operations.
An authenticated attacker with valid datasource credentials can exploit this to gain full read and write access to the underlying database.
This vulnerability was fixed in version 2.10.21.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an authenticated attacker with valid datasource credentials to execute arbitrary SQL commands, including read and write operations, on the connected database.
This means the attacker can potentially modify, delete, or steal sensitive data stored in the database, leading to data breaches, data corruption, or unauthorized data manipulation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade DataEase to version 2.10.21 or later, where the issue has been fixed.
Additionally, restrict access to the /de2api/datasetData/previewSql endpoint and ensure that only trusted authenticated users with valid datasource credentials can access it.
Consider disabling allowMultiQueries=true in the JDBC configuration to prevent stacked SQL statement execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker with valid datasource credentials to execute arbitrary SQL statements, including read and write operations, on the underlying database. This could lead to unauthorized access, modification, or disclosure of sensitive data.
Such unauthorized data access and manipulation can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Therefore, exploitation of this vulnerability could compromise compliance by exposing sensitive personal or health information to unauthorized parties or allowing unauthorized data changes.