CVE-2026-50124 in DataEaseinfo

Summary

by MITRE • 07/15/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase can be exploited by uploading payload.zip through the Excel upload API /datasource/upload, creating an H2 datasource that uses the zip: protocol, and executing an SQL dataset path where CalciteProvider.jdbcFetchResultField calls statement.executeQuery(), causing precompiled Java aliases in test.mv.db to execute arbitrary code. This issue is fixed in version 2.10.23.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability affects DataEase versions prior to 2.10.23 and represents a critical remote code execution flaw that stems from improper input validation within the Excel upload API endpoint. The vulnerability manifests when an attacker uploads a malicious payload.zip file through the /datasource/upload interface, which then enables the creation of an H2 datasource utilizing the zip: protocol for data access. This particular implementation pattern creates a dangerous attack surface where user-supplied data can influence database operations through the CalciteProvider.jdbcFetchResultField method.

The technical exploitation occurs when the system processes SQL dataset paths that ultimately call statement.executeQuery(), which triggers execution of precompiled Java aliases stored in the test.mv.db file. This represents a classic server-side request forgery vulnerability combined with an insecure deserialization pattern where database connections are manipulated to execute arbitrary code within the application's runtime environment. The vulnerability is particularly dangerous because it allows attackers to leverage the H2 database engine's capabilities to execute malicious Java code that was previously compiled and stored in the database file.

The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with full control over the DataEase application server. This includes potential access to sensitive data, privilege escalation, and the ability to establish persistent backdoors within the system. The attack chain leverages multiple layers of trust within the application, from file upload validation to database connection handling, making it particularly difficult to detect and mitigate through traditional security controls.

This vulnerability aligns with CWE-434: "Unrestricted Upload of File with Dangerous Type" and CWE-94: "Improper Control of Generation of Code" which together describe the dangerous combination of insecure file upload handling and code execution vulnerabilities. From an ATT&CK framework perspective, this maps to TA0002: Execution through T1059.007: Command and Scripting Interpreter with potential lateral movement capabilities once initial access is established. The vulnerability also demonstrates characteristics of T1566: Phishing with T1078: Valid Accounts as the attack requires legitimate upload permissions to be effective.

The fix implemented in version 2.10.23 addresses this issue through improved input validation and sanitization of uploaded files, specifically by restricting the types of datasource protocols that can be created through user uploads and by implementing stricter security controls around database connection handling. Organizations should immediately upgrade to version 2.10.23 or later and conduct thorough security assessments of any systems running vulnerable versions. Additional mitigations include implementing network segmentation, monitoring upload activities, and ensuring proper access controls are in place to limit who can submit files through the Excel upload API endpoint.

Responsible

GitHub M

Reservation

06/03/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!