CVE-2026-45417 in DataEaseinfo

Summary

by MITRE • 07/15/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase datasource connection status checks concatenate configuration.getSchema() into getTablesSql and execute the resulting SQL with executeQuery in io.dataease.datasource.provider.CalciteProvider#checkStatus, allowing SQL injection against DB2, SQL Server, PostgreSQL, and other affected datasources. This issue is fixed in version 2.10.23.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability identified in DataEase versions prior to 2.10.23 represents a critical SQL injection flaw that compromises the integrity of database connections within the data visualization platform. This security weakness exists specifically within the datasource connection status checking mechanism implemented in the CalciteProvider class, where the system fails to properly sanitize user input before incorporating it into database queries. The vulnerability manifests when the application concatenates configuration.getSchema() directly into the getTablesSql query string without adequate validation or escaping, creating an attack surface that allows malicious actors to inject arbitrary SQL commands.

The technical implementation of this flaw occurs in the io.dataease.datasource.provider.CalciteProvider#checkStatus method where the system executes a constructed SQL query using executeQuery. This improper input handling creates a classic SQL injection vulnerability that affects multiple database systems including DB2, SQL Server, and PostgreSQL, indicating the issue stems from a generic database abstraction layer rather than specific database implementations. The flaw falls under CWE-89 which categorizes SQL injection vulnerabilities as those where untrusted data is incorporated into SQL commands without proper sanitization or parameterization.

From an operational perspective, this vulnerability exposes DataEase installations to significant risks including unauthorized data access, data manipulation, and potential complete database compromise. Attackers could leverage this flaw to extract sensitive information from connected databases, modify or delete critical data, or even escalate privileges within the database environment. The impact extends beyond individual database breaches as DataEase serves as a visualization platform that typically handles business-critical analytics data, making the potential damage substantial for organizations relying on its functionality.

The security implications of this vulnerability align with ATT&CK technique T1071.004 which covers application layer protocol manipulation, and specifically targets the database access components that form the backend infrastructure of data visualization tools. Organizations using DataEase versions prior to 2.10.23 face heightened risk during routine connection status checks, as these operations provide a consistent attack vector that could be exploited by threat actors with minimal detection difficulty. The vulnerability's persistence across multiple database systems suggests a fundamental architectural flaw in the input validation mechanism rather than isolated database-specific issues.

Mitigation strategies should prioritize immediate upgrade to DataEase version 2.10.23 which contains the necessary fixes for this SQL injection vulnerability. Organizations should also implement network-level protections such as firewall rules restricting access to database endpoints and monitoring for unusual query patterns that might indicate exploitation attempts. Additionally, administrators should conduct comprehensive security audits of all database connections within DataEase deployments to identify potential compromise indicators and establish proper input validation controls throughout the application's data handling processes.

Responsible

GitHub M

Reservation

05/12/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!