CVE-2026-45320 in DataEaseinfo

Summary

by MITRE • 07/15/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase dashboard SQL variables such as ${deptId} are processed by SqlparserUtils.transFilter(), whose final branch returns raw user input for non-in and non-between operators before SubstitutedSql.replace("${var}", value) splices it into dashboard SQL, allowing authenticated users who can view a dashboard to inject SQL against integrated datasources. This issue is fixed in version 2.10.23

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability affects DataEase versions prior to 2.10.23 and represents a critical server-side SQL injection flaw that undermines the security of dashboard components. The vulnerability stems from improper handling of SQL variables within the SqlparserUtils.transFilter() method where user-provided input is directly incorporated into SQL queries without adequate sanitization or validation. When dashboard users interact with SQL variables such as ${deptId}, the system processes these variables through a code path that fails to properly escape or parameterize the input for operators other than in and between, creating an exploitable condition that allows authenticated users to inject malicious SQL commands.

The technical implementation of this vulnerability occurs within the SqlparserUtils.transFilter() function where the code follows distinct branches based on SQL operators. For non-in and non-between operators, the system directly substitutes user-provided values without proper escaping mechanisms, leaving the raw input vulnerable to SQL injection attacks. This substitution process happens before the final SQL construction, allowing attackers to manipulate the query structure through carefully crafted input values that can alter the intended database operations. The vulnerability is particularly dangerous because it operates within the dashboard context where users already possess viewing permissions, making it an insider threat vector rather than requiring additional privilege escalation.

The operational impact of this vulnerability extends beyond simple data theft, as authenticated users with dashboard access can potentially execute arbitrary SQL commands against integrated data sources. This could lead to unauthorized data access, data modification, or even complete database compromise depending on the privileges of the underlying database connections. The attack surface is broadened by the fact that multiple dashboard components may be vulnerable, and the injection occurs at the SQL parsing layer where attackers can manipulate query execution flow rather than simply retrieving data through normal query interfaces.

Mitigation strategies should focus on implementing proper input sanitization and parameterized query construction throughout the SqlparserUtils.transFilter() method. The fix in version 2.10.23 addresses this by ensuring that all user-provided SQL variable values are properly escaped or parameterized regardless of the SQL operator being processed. Organizations should also implement robust access controls and monitor dashboard usage patterns for suspicious activity, while following security best practices such as least privilege principles and regular security updates. This vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws in software applications, and could be categorized under ATT&CK technique T1071.004 for application layer protocol manipulation, emphasizing the importance of proper input validation and parameterization in database query construction processes.

Responsible

GitHub M

Reservation

05/11/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!