CVE-2026-50530
Received Received - Intake

Data Leakage via Chart Data API in DataEase

Vulnerability report for CVE-2026-50530, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing an attacker with a valid share link token to replace dataset identifiers and retrieve unauthorized data through POST /de2api/chartData/getData. This issue is fixed in version 2.10.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.24 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in DataEase, an open source data visualization and analysis tool, in versions prior to 2.10.24. The issue is that the share mode chart data interface only checks if the sceneId matches the resourceId in the link token but does not verify whether the tableId and field IDs in the request body actually belong to the shared resource.

Because of this insufficient validation, an attacker who has a valid share link token can manipulate the dataset identifiers in the request to access unauthorized data by sending a POST request to /de2api/chartData/getData.

This vulnerability was fixed in version 2.10.24.

Impact Analysis

The vulnerability allows an attacker with a valid share link token to bypass intended data access restrictions and retrieve unauthorized data by altering dataset identifiers in requests.

This can lead to data leakage, exposing sensitive or confidential information that should not be accessible to the attacker.

Such unauthorized data access can compromise the confidentiality and integrity of your data, potentially causing harm to your organization or users.

Mitigation Strategies

To mitigate this vulnerability, upgrade DataEase to version 2.10.24 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows an attacker with a valid share link token to retrieve unauthorized data by manipulating dataset identifiers. Such unauthorized data access can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on data access and confidentiality.

Because the vulnerability enables exposure of data beyond authorized scopes, it may result in non-compliance with standards that mandate data access restrictions and protection of sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50530. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart