CVE-2026-53730
Received Received - Intake

SQL Injection in DataEase via Unauthorized SQL Preview

Vulnerability report for CVE-2026-53730, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any authenticated user to specify datasourceId=-1, access the built-in engine database, execute arbitrary SQL statements, and read sensitive core data. This issue is fixed in version 2.10.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.24 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in DataEase, an open source data visualization and analysis tool, in versions prior to 2.10.24. The issue is that the /de2api/datasetData/previewSql endpoint does not have the required @DePermit permission validation annotation. As a result, any authenticated user can specify datasourceId=-1 to access the built-in engine database, execute arbitrary SQL statements, and read sensitive core data.

This vulnerability allows unauthorized access to sensitive data and arbitrary SQL execution within the application.

Impact Analysis

The vulnerability can have serious impacts including unauthorized access to sensitive core data and the ability for an attacker to execute arbitrary SQL commands on the built-in engine database.

This could lead to data breaches, data manipulation, or disruption of the application’s normal operation.

Compliance Impact

The vulnerability allows any authenticated user to execute arbitrary SQL statements and read sensitive core data without proper permission validation. This unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

By enabling unauthorized data access, the vulnerability undermines compliance with standards that mandate confidentiality, integrity, and controlled access to sensitive data.

Mitigation Strategies

To mitigate this vulnerability, upgrade DataEase to version 2.10.24 or later, where the issue is fixed.

Ensure that the /de2api/datasetData/previewSql endpoint enforces the @DePermit permission validation annotation to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53730. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart