CVE-2026-53729
Received Received - Intake

Authenticated Export Task Manipulation in DataEase

Vulnerability report for CVE-2026-53729, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download (/exportCenter/download/{id}), delete (/exportCenter/delete), retry (/exportCenter/retry/{id}), or generate download links (/exportCenter/generateDownloadUri/{id}) for export tasks belonging to other users by manipulating the task ID parameter, and the /exportCenter/download/{id} endpoint is whitelisted from authentication, allowing unauthenticated access to exported files. This issue is fixed in version 2.10.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease 2.10.24

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects DataEase, an open source data visualization and analysis tool, in versions prior to 2.10.24. It allows any authenticated user to manipulate the task ID parameter to download, delete, retry, or generate download links for export tasks that belong to other users. Additionally, the download endpoint (/exportCenter/download/{id}) is whitelisted from authentication, which means unauthenticated users can access exported files without any restrictions.

Impact Analysis

This vulnerability can lead to unauthorized access and manipulation of export tasks and exported files belonging to other users. An attacker could download sensitive data, delete important export tasks, or generate download links without permission. Since the download endpoint is accessible without authentication, sensitive exported files could be accessed by anyone, potentially leading to data leakage or loss.

Detection Guidance

This vulnerability involves unauthorized access to export tasks via specific endpoints, including /exportCenter/download/{id}, /exportCenter/delete, /exportCenter/retry/{id}, and /exportCenter/generateDownloadUri/{id}. Detection can focus on monitoring access to these endpoints, especially attempts to access or manipulate task IDs that do not belong to the authenticated user.

Since the /exportCenter/download/{id} endpoint is whitelisted from authentication, unauthenticated access attempts to this endpoint should be logged and reviewed.

Suggested commands to detect potential exploitation attempts include:

  • Using web server logs (e.g., Apache or Nginx) to search for requests to /exportCenter/download/, /exportCenter/delete, /exportCenter/retry/, or /exportCenter/generateDownloadUri/ endpoints.
  • Example command to search logs for suspicious access (Linux):
  • grep -E "/exportCenter/download/|/exportCenter/delete|/exportCenter/retry/|/exportCenter/generateDownloadUri/" /var/log/nginx/access.log
  • Monitor for requests without valid authentication tokens or from unexpected IP addresses.
Mitigation Strategies

The primary mitigation is to upgrade DataEase to version 2.10.24 or later, where this vulnerability is fixed.

Until the upgrade can be applied, consider the following immediate steps:

  • Restrict access to the /exportCenter/download/{id} endpoint to authenticated users only, removing the whitelist exemption.
  • Implement strict authorization checks to ensure users can only access export tasks that belong to them.
  • Monitor and log access to the affected endpoints to detect and respond to suspicious activity.
Compliance Impact

The vulnerability allows unauthenticated access to exported files and unauthorized manipulation of export tasks belonging to other users. This could lead to unauthorized disclosure of sensitive data, which may violate data protection regulations such as GDPR and HIPAA that require strict controls on access to personal and health information.

Specifically, the ability for any user or unauthenticated party to download or delete export tasks of others can result in data breaches or loss of data integrity, impacting compliance with confidentiality, integrity, and availability requirements mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53729. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart