CVE-2026-50530 in DataEaseinfo

Summary

by MITRE • 07/07/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing an attacker with a valid share link token to replace dataset identifiers and retrieve unauthorized data through POST /de2api/chartData/getData. This issue is fixed in version 2.10.24.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability affects DataEase versions prior to 2.10.24 and represents a critical access control flaw that undermines the security of shared chart interfaces. The vulnerability stems from insufficient validation mechanisms within the share mode chart data interface where the system only verifies that the sceneId parameter matches the resourceId contained within the link token. However, it fails to validate whether the tableId and field IDs present in the request body correspond to the actual shared resource, creating a pathway for privilege escalation through unauthorized data access.

The technical implementation of this flaw allows attackers to exploit a lack of proper authorization checks by constructing malicious POST requests to the /de2api/chartData/getData endpoint. When an attacker possesses a valid share link token they can manipulate the request body parameters to reference different tableId and field IDs, effectively bypassing the intended access controls that should restrict data access to only the resources explicitly shared through the token. This represents a classic case of insufficient input validation and authorization enforcement where the system assumes that because the sceneId matches the resourceId, all other parameters must also be valid.

The operational impact of this vulnerability is significant as it enables attackers to retrieve unauthorized datasets from the DataEase platform without proper authentication or authorization. An attacker could potentially access sensitive business intelligence data, customer information, or proprietary analytics that were not intended for public consumption, leading to potential data breaches, compliance violations, and loss of competitive advantage. The vulnerability affects any shared chart that utilizes the affected interface, making it a widespread concern across organizations using DataEase for data visualization.

The root cause of this issue aligns with CWE-284 Access Control flaws where improper access control checks allow unauthorized access to resources. From an ATT&CK perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing techniques as attackers could leverage valid share tokens obtained through social engineering or other means to exploit this weakness. The vulnerability demonstrates poor input validation practices and inadequate authorization logic where the system fails to perform comprehensive checks on all parameters involved in data access requests.

Mitigation strategies should focus on implementing robust parameter validation that verifies not only sceneId but also ensures that tableId and field IDs in the request body correspond to the actual shared resource identified by the token. Organizations should immediately upgrade to DataEase version 2.10.24 or later where this vulnerability has been addressed through enhanced authorization checks. Additional protective measures include implementing rate limiting on chart data endpoints, monitoring for unusual parameter combinations in access logs, and conducting regular security assessments of shared resource interfaces to identify similar authorization gaps. The fix should incorporate proper validation that cross-references all request parameters against the token's resource scope to prevent parameter substitution attacks that bypass intended access controls.

Responsible

GitHub M

Reservation

06/04/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!