CVE-2026-50529 in DataEase
Summary
by MITRE • 07/07/2026
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. This issue is fixed in version 2.10.24.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability exists within DataEase's share interface implementation where the system prematurely generates and returns X-DE-LINK-TOKEN headers before performing any authentication validation. This design flaw creates a critical race condition in the access control mechanism that allows unauthenticated attackers to bypass initial credential requirements by simply knowing a valid share UUID. The vulnerability specifically affects versions prior to 2.10.24 where the system does not enforce proper authorization checks before issuing access tokens, enabling attackers to obtain valid link tokens without providing correct passwords or tickets.
From a technical perspective, this represents a classic authentication bypass vulnerability that violates fundamental security principles of access control validation. The system's improper order of operations allows token generation to occur before credential verification, effectively creating a backdoor that can be exploited by any attacker who discovers a legitimate share UUID. This flaw operates at the application layer and demonstrates poor input validation and authorization flow management within the authentication pipeline.
The operational impact of this vulnerability is significant as it enables attackers to gain unauthorized access to protected data visualizations and analysis tools without proper credentials. Once an attacker obtains a valid X-DE-LINK-TOKEN, they can make subsequent API calls to share-related endpoints, potentially accessing sensitive data, modifying visualizations, or performing other privileged operations depending on the system's permission model. This vulnerability essentially provides a pathway for privilege escalation from unauthorized access to authenticated but limited access within the system.
Security researchers should note that this issue aligns with CWE-285 (Improper Authorization) and demonstrates characteristics similar to those described in ATT&CK technique T1078 (Valid Accounts) where attackers can leverage valid identifiers to gain access. The vulnerability also reflects improper security state management as outlined in CWE-362, where concurrent operations allow for unauthorized state transitions. Organizations using DataEase versions prior to 2.10.24 should immediately implement mitigations including upgrading to the patched version, implementing additional authentication layers, and monitoring for suspicious token generation patterns. The fix implemented in version 2.10.24 addresses this by ensuring proper credential validation occurs before any token generation, thereby enforcing correct authorization flow and preventing the premature issuance of access tokens.