CVE-2026-27194: D-Tale RCE Vulnerability

CVE-2026-27194 Overview

D-Tale is a visualizer for pandas data structures that provides an interactive web interface for data exploration. A critical Remote Code Execution (RCE) vulnerability exists in versions prior to 3.20.0 through the /save-column-filter endpoint. Attackers can exploit improper input validation in the query handling mechanism to execute arbitrary code on servers hosting publicly accessible D-Tale instances.

Critical Impact

Unauthenticated attackers can achieve remote code execution on D-Tale servers by injecting malicious code through the column filter functionality, potentially leading to complete server compromise.

Affected Products

• D-Tale versions prior to 3.20.0
• Man Group D-Tale deployments with public network exposure
• Applications integrating vulnerable D-Tale components

Discovery Timeline

• 2026-02-21 - CVE CVE-2026-27194 published to NVD
• 2026-02-23 - Last updated in NVD database

Technical Details for CVE-2026-27194

Vulnerability Analysis

This vulnerability stems from a Code Injection flaw (CWE-74) in D-Tale's query handling mechanism. The /save-column-filter endpoint accepts user-supplied filter expressions that are processed by pandas' DataFrame.query() method without adequate sanitization. Since DataFrame.query() can evaluate Python expressions, attackers can craft malicious payloads containing dangerous function calls that execute arbitrary code on the server.

The attack surface is particularly concerning for D-Tale instances exposed to the network without authentication. An attacker can send a specially crafted HTTP request to the vulnerable endpoint, injecting Python code that bypasses the data filtering context and achieves arbitrary code execution.

Root Cause

The vulnerability originates from insufficient input validation before passing user-controlled strings to pandas' DataFrame.query() method. The query function in D-Tale processes filter expressions without checking for dangerous Python constructs such as __import__, exec(), eval(), open(), or module access patterns like os. and subprocess. This allows attackers to escape the intended query context and execute arbitrary Python code with the privileges of the D-Tale server process.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can target publicly accessible D-Tale instances by sending HTTP requests to the /save-column-filter endpoint with malicious payloads embedded in the filter expression. Common exploitation techniques include:

• Using __import__('os').system() to execute system commands
• Leveraging eval() or exec() for arbitrary code execution
• Accessing sensitive data through open() calls
• Establishing reverse shells via subprocess module access

+import re
+
 import pandas as pd
 
 import dtale.global_state as global_state
 
 from dtale.pandas_util import check_pandas_version, is_pandas3
 from dtale.utils import format_data, get_bool_arg
 
+# Patterns that could enable code execution via pandas.DataFrame.query()
+_DANGEROUS_QUERY_PATTERNS = re.compile(
+    r"(__\w+__"  # dunder attributes (__import__, __class__, etc.)
+    r"|(?<!\w)import\s*\("  # import() calls
+    r"|(?<!\w)exec\s*\("  # exec() calls
+    r"|(?<!\w)eval\s*\("  # eval() calls
+    r"|(?<!\w)compile\s*\("  # compile() calls
+    r"|(?<!\w)open\s*\("  # open() calls
+    r"|(?<!\w)getattr\s*\("  # getattr() calls
+    r"|(?<!\w)setattr\s*\("  # setattr() calls
+    r"|(?<!\w)delattr\s*\("  # delattr() calls
+    r"|(?<!\w)globals\s*\("  # globals() calls
+    r"|(?<!\w)locals\s*\("  # locals() calls
+    r"|(?<!\w)vars\s*\("  # vars() calls
+    r"|(?<!\w)dir\s*\("  # dir() calls
+    r"|(?<!\w)os\."  # os module access
+    r"|(?<!\w)sys\."  # sys module access
+    r"|(?<!\w)subprocess"  # subprocess module access
+    r"|(?<!\w)shutil\."  # shutil module access
+    r")",
+    re.IGNORECASE,

Source: GitHub Commit Reference

Detection Methods for CVE-2026-27194

Indicators of Compromise

• Suspicious HTTP POST requests to /save-column-filter endpoint containing Python code patterns
• Web server logs showing requests with dunder attributes (__import__, __class__, __builtins__)
• Unusual child processes spawned by the D-Tale/Python application process
• Network connections initiated from the D-Tale server to unexpected external destinations

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block requests containing dangerous Python patterns such as __import__, exec(, eval(, and os.system
• Monitor application logs for filter expressions containing suspicious function calls or module references
• Deploy endpoint detection to identify anomalous process execution chains originating from Python web applications
• Enable audit logging on the D-Tale application to track all filter operations

Monitoring Recommendations

• Configure alerting on HTTP requests to D-Tale endpoints containing code injection patterns
• Monitor for new network connections and file system modifications from the D-Tale server process
• Implement behavioral analysis to detect exploitation attempts through abnormal query patterns
• Review access logs regularly for repeated requests to the /save-column-filter endpoint from external sources

How to Mitigate CVE-2026-27194

Immediate Actions Required

• Upgrade D-Tale to version 3.20.0 or later immediately
• Restrict network access to D-Tale instances to trusted networks only
• Implement authentication in front of any publicly accessible D-Tale deployments
• Review server logs for evidence of exploitation attempts

Patch Information

The vulnerability has been fixed in D-Tale version 3.20.0. The patch implements regex-based input validation in dtale/query.py that blocks dangerous Python patterns before they reach the DataFrame.query() function. The fix specifically detects and rejects filter expressions containing dunder attributes, dangerous built-in functions (exec, eval, compile, open), attribute manipulation functions, and dangerous module references (os, sys, subprocess, shutil).

Review the security advisory and security patch for complete details.

Workarounds

• Place D-Tale behind a reverse proxy with authentication requirements
• Implement network segmentation to prevent external access to D-Tale instances
• Use a WAF to filter malicious patterns in requests to the /save-column-filter endpoint
• Run D-Tale in a containerized environment with restricted privileges and capabilities

# Configuration example: Restrict D-Tale to localhost only
# Start D-Tale bound to localhost interface
dtale --host 127.0.0.1 --port 40000

# Use a reverse proxy (nginx example) with basic auth
# location /dtale/ {
#     auth_basic "Restricted Access";
#     auth_basic_user_file /etc/nginx/.htpasswd;
#     proxy_pass http://127.0.0.1:40000/;
# }