CVE-2026-32137 in Dataease
Summary
by MITRE • 03/12/2026
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability identified as CVE-2026-32137 affects Dataease, an open source data visualization and analysis platform, specifically targeting versions prior to 2.10.20. This issue resides within the /de2api/datasource/previewData endpoint where the system processes table parameters without adequate input validation or sanitization. The flaw represents a critical security weakness that directly exposes the application to SQL injection attacks through improper parameter handling.
The technical implementation of this vulnerability stems from the direct concatenation of user-supplied table names into SQL queries without any form of parameterization or input filtering. When the tableName parameter is passed to the previewData API endpoint, the system treats it as a literal string and incorporates it directly into the SQL execution statement. This approach violates fundamental security principles for database interactions and creates an environment where malicious actors can manipulate the query structure through carefully crafted table names. The vulnerability manifests as a classic SQL injection vector where attackers can inject arbitrary SQL commands by constructing malicious table names that get executed as part of the database query.
The operational impact of this vulnerability is severe and far-reaching within the Dataease ecosystem. An attacker who successfully exploits this vulnerability could potentially access, modify, or delete sensitive data stored within the connected databases. The attack surface extends beyond simple data theft to include complete database compromise, allowing unauthorized users to escalate privileges, extract confidential information, or even disrupt database operations. Given that Dataease is designed for data visualization and analysis, the compromised data often contains business-critical information, making this vulnerability particularly dangerous for organizations relying on the platform for analytics and reporting purposes.
This vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws in software applications. The flaw represents a direct violation of secure coding practices and demonstrates the importance of implementing proper input validation and parameterized queries. From an attack framework perspective, this vulnerability maps to multiple ATT&CK techniques including T1071.004 for application layer protocol and T1566 for credential access through exploitation of software vulnerabilities. The vulnerability also intersects with T1213 for data exploitation and T1499 for endpoint disruption, highlighting the comprehensive impact across multiple attack phases.
Organizations utilizing Dataease should immediately upgrade to version 2.10.20 or later to remediate this vulnerability. The fix implemented in the newer version addresses the core issue by introducing proper parameterization of table names and implementing input validation controls. Additional mitigations include implementing network-level restrictions to limit access to the affected API endpoint, monitoring for suspicious query patterns, and conducting comprehensive security assessments of the application's database interactions. Security teams should also consider implementing web application firewalls and database activity monitoring solutions to detect and prevent exploitation attempts, while ensuring that all user inputs are properly sanitized before any database operations occur.