CVE-2026-53730 in DataEaseinfo

Summary

by MITRE • 07/07/2026

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any authenticated user to specify datasourceId=-1, access the built-in engine database, execute arbitrary SQL statements, and read sensitive core data. This issue is fixed in version 2.10.24.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability exists within DataEase version 2.10.23 and earlier, specifically in the /de2api/datasetData/previewSql endpoint which fails to implement proper access control validation. This represents a critical authorization flaw that allows authenticated users to bypass security restrictions through the missing @DePermit permission validation annotation. The absence of this mandatory security check creates an exploitable path where any user with valid authentication credentials can manipulate the datasourceId parameter to -1, effectively gaining access to the built-in engine database. This misconfiguration enables arbitrary SQL execution capabilities that extend far beyond normal operational boundaries.

The technical implementation flaw stems from inadequate input validation and permission checking within the API endpoint. When users submit requests to previewSql with datasourceId=-1, the system should enforce strict authorization checks but instead allows the operation to proceed. This creates a privilege escalation vector where authenticated users can execute SQL statements against core database systems without proper authorization. The vulnerability demonstrates a clear breakdown in the principle of least privilege enforcement, as the application fails to validate whether the requesting user has appropriate permissions for the target data source.

Operationally, this vulnerability presents a severe risk to organizations using DataEase deployments prior to version 2.10.24. Attackers can leverage this flaw to extract sensitive core data from the built-in engine database, potentially accessing confidential information including user credentials, system configurations, and business-critical datasets. The impact extends beyond simple data theft to include potential system compromise through SQL injection attacks that could lead to further lateral movement within the network infrastructure. This vulnerability directly aligns with CWE-285: Improper Authorization, which addresses insufficient access control mechanisms in software applications.

The security implications are particularly concerning given that this affects an open source tool widely used for data visualization and analysis. Organizations relying on these vulnerable versions face significant exposure to unauthorized data access and potential regulatory compliance violations. The fix implemented in version 2.10.24 addresses the root cause by properly implementing the @DePermit annotation, ensuring that all requests to the previewSql endpoint undergo appropriate permission validation before executing database operations.

Organizations should immediately upgrade to DataEase version 2.10.24 or later to remediate this vulnerability. Additionally, system administrators should conduct comprehensive security assessments of their deployed instances and monitor for any unusual database access patterns that might indicate exploitation attempts. The vulnerability also highlights the importance of proper input validation and authorization checking in RESTful API implementations, aligning with ATT&CK technique T1078.004: Valid Accounts - Cloud Accounts, where unauthorized access to core systems can occur through misconfigured permissions rather than direct credential compromise.

Responsible

GitHub M

Reservation

06/10/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!