CVE-2026-45533 in DataEaseinfo

Summary

by MITRE • 07/15/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase export-center deletion can accept path traversal sequences such as ../ in the bulk delete API endpoint and pass attacker-controlled identifiers to ExportCenterManage.delete, allowing recursive deletion of arbitrary server directories through export task cleanup. This issue is fixed in version 2.10.23.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability identified in DataEase versions prior to 2.10.23 represents a critical path traversal flaw within the export-center deletion functionality that directly impacts the system's file system security model. This weakness exists in the bulk delete API endpoint where the application fails to properly sanitize user-supplied identifiers before passing them to the ExportCenterManage.delete method. The implementation allows attackers to inject directory traversal sequences such as ../ which enables recursive deletion of arbitrary server directories during export task cleanup operations.

From a technical perspective this vulnerability maps directly to CWE-22 Path Traversal and CWE-77 Path Traversal in the Common Weakness Enumeration catalog, with the specific attack pattern falling under the category of directory traversal through input validation bypass. The flaw demonstrates how inadequate input sanitization can lead to severe privilege escalation scenarios where authenticated users can manipulate system file operations beyond their intended scope. The vulnerability operates at the application layer and requires minimal privileges since it leverages existing functionality rather than requiring elevated access rights.

The operational impact of this vulnerability extends far beyond simple data deletion, as it provides attackers with the capability to perform recursive directory removal that could compromise entire server structures. During export task cleanup operations, the system processes attacker-controlled identifiers without proper validation, allowing malicious actors to traverse filesystem boundaries and delete files in arbitrary locations. This creates a significant risk for data integrity and system availability, potentially leading to complete system compromise or denial of service conditions.

Security practitioners should consider this vulnerability in relation to ATT&CK technique T1211 Lateral Movement through Path Traversal, where attackers use such flaws to manipulate file systems and establish persistence. The remediation approach requires implementing proper input validation and sanitization within the export-center deletion API endpoint, specifically ensuring that user-supplied identifiers are validated against a whitelist of allowed characters and directory paths. Additionally, the system should enforce strict access controls and implement proper privilege separation during file operations to prevent unauthorized recursive deletions.

The fix implemented in version 2.10.23 addresses this vulnerability by strengthening input validation mechanisms within the bulk delete API endpoint. The update ensures that directory traversal sequences are properly rejected before any file system operations are initiated, preventing attackers from manipulating the ExportCenterManage.delete method with malicious identifiers. This remediation aligns with industry best practices for secure coding and follows the principle of least privilege by limiting file system operations to only those paths explicitly permitted by the application logic. Organizations should prioritize upgrading to version 2.10.23 or later to protect against this critical path traversal vulnerability that could enable remote attackers to perform destructive operations on affected systems.

Responsible

GitHub M

Reservation

05/12/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!