CVE-2026-32137 Overview
CVE-2026-32137 is a critical SQL Injection vulnerability affecting Dataease, an open source data visualization analysis tool. Prior to version 2.10.20, the table parameter for the /de2api/datasource/previewData endpoint is directly concatenated into SQL statements without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL statements by constructing malicious table names, potentially leading to unauthorized data access or manipulation.
Critical Impact
Unauthenticated attackers can execute arbitrary SQL queries through the vulnerable endpoint, potentially compromising data confidentiality and integrity across the entire database.
Affected Products
- Dataease versions prior to 2.10.20
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-32137 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32137
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in Dataease's data preview functionality. The vulnerable endpoint /de2api/datasource/previewData accepts a table parameter that is directly incorporated into SQL queries without proper sanitization. This allows attackers to break out of the intended SQL context and inject arbitrary SQL commands. The vulnerability can be exploited remotely over the network without authentication, making it accessible to any attacker who can reach the affected endpoint.
Root Cause
The root cause of this vulnerability is improper neutralization of special elements used in SQL commands. The application developers failed to implement parameterized queries or prepared statements when handling the user-supplied tableName value. Instead of treating the table name as data, the application treats it as trusted SQL code, allowing attackers to manipulate the query structure.
Attack Vector
The attack vector is network-based, requiring no user interaction or authentication. An attacker can craft malicious HTTP requests to the /de2api/datasource/previewData endpoint with a specially constructed table parameter containing SQL injection payloads. By manipulating the table name value, attackers can:
- Extract sensitive data from the database using UNION-based or time-based blind SQL injection techniques
- Modify or delete database records
- Potentially execute operating system commands depending on database configuration and privileges
The vulnerability mechanism involves direct string concatenation of user input into SQL statements. When a malicious table name such as users; DROP TABLE sensitive_data; -- is provided, the application constructs and executes the attacker-controlled SQL without validation. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32137
Indicators of Compromise
- Unusual or malformed requests to /de2api/datasource/previewData endpoint containing SQL keywords or special characters
- Database query logs showing unexpected SQL syntax, UNION statements, or time-delay functions in table name contexts
- Error messages in application logs indicating SQL syntax errors from the datasource preview functionality
- Unexpected database access patterns or data exfiltration attempts
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection patterns targeting the /de2api/datasource/previewData endpoint
- Implement anomaly detection for requests containing SQL keywords like UNION, SELECT, DROP, or comment sequences (--, /**/) in the table parameter
- Review database audit logs for queries with unusual table names or syntax patterns
- Deploy application-layer intrusion detection rules specifically targeting Dataease API endpoints
Monitoring Recommendations
- Enable verbose logging on the Dataease application to capture all requests to datasource-related endpoints
- Configure database auditing to log all queries executed by the Dataease application service account
- Set up alerts for error rates spikes on the vulnerable endpoint that may indicate exploitation attempts
- Monitor for unauthorized data access or export activities following potential exploitation
How to Mitigate CVE-2026-32137
Immediate Actions Required
- Upgrade Dataease to version 2.10.20 or later immediately
- Implement web application firewall rules to block SQL injection attempts targeting the /de2api/datasource/previewData endpoint
- Restrict network access to Dataease instances to trusted IP ranges only
- Review database access logs for signs of prior exploitation
Patch Information
The vulnerability has been fixed in Dataease version 2.10.20. Organizations should prioritize upgrading to this version or later. For additional details on the fix and vulnerability, refer to the GitHub Security Advisory (GHSA-vgm2-269h-8624).
Workarounds
- Deploy a web application firewall (WAF) with SQL injection detection rules in front of Dataease instances
- Implement network-level access controls to limit exposure of the /de2api/datasource/previewData endpoint
- Apply principle of least privilege to the database account used by Dataease to limit potential impact
- Consider temporarily disabling the data preview functionality if the feature is not critical to operations
# Example: Block access to vulnerable endpoint using nginx until patched
location /de2api/datasource/previewData {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
