CVE-2026-50529
Received Received - Intake

Unauthenticated Token Exposure in DataEase via ProxyInfo

Vulnerability report for CVE-2026-50529, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. This issue is fixed in version 2.10.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.24 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in DataEase, an open source data visualization and analysis tool, in versions prior to 2.10.24. The issue is with the /de2api/share/proxyInfo share interface, which generates and returns an X-DE-LINK-TOKEN before validating the share password or ticket. This means that an unauthenticated attacker who knows a protected share UUID can obtain a valid link token without providing valid credentials.

The valid link token can then be used for subsequent share-related API calls, potentially allowing unauthorized access to shared data.

This vulnerability was fixed in version 2.10.24.

Impact Analysis

The vulnerability allows unauthenticated attackers to bypass authentication controls by obtaining a valid link token without proper credentials. This can lead to unauthorized access to shared data or resources within the DataEase application.

Such unauthorized access could result in data exposure, data leakage, or manipulation of shared information, depending on what the attacker can do with the API calls using the stolen token.

Mitigation Strategies

To mitigate this vulnerability, upgrade DataEase to version 2.10.24 or later, where the issue has been fixed.

Compliance Impact

The vulnerability allows unauthenticated attackers to obtain a valid link token for share-related API calls without proper credential validation. This could lead to unauthorized access to protected data.

Such unauthorized access risks violating data protection requirements under regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive data.

Therefore, this vulnerability potentially compromises compliance with these standards by exposing data to unauthorized parties.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50529. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart