CVE-2026-33084 Overview
DataEase is an open-source data visualization and analytics platform that enables users to create dashboards and perform data analysis. A SQL injection vulnerability has been identified in versions 2.10.20 and below, specifically affecting the sort parameter of the /de2api/datasetData/enumValueObj endpoint. This vulnerability allows authenticated attackers to inject arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the underlying database system.
Critical Impact
Authenticated attackers can exploit this SQL injection vulnerability to execute arbitrary SQL commands through time-based blind injection, potentially leading to unauthorized data access, modification, or deletion.
Affected Products
- DataEase versions 2.10.20 and below
- DataEase installations using the /de2api/datasetData/enumValueObj endpoint
- DataEase deployments with CalciteProvider SQL execution
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-33084 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-33084
Vulnerability Analysis
This SQL injection vulnerability stems from improper handling of user-supplied input in the sort parameter processing chain. The DatasetDataManage service layer accepts user-controlled sort values and directly transfers them to the sorting metadata DTO without proper sanitization. This unsanitized input is then passed to Order2SQLObj, where it becomes incorporated into the SQL ORDER BY clause. The lack of whitelist validation at any point in this data flow allows malicious SQL statements to be constructed and subsequently executed via CalciteProvider.
The vulnerability enables time-based blind SQL injection, a technique where attackers infer database information by observing response time differences caused by injected SQL timing functions. This attack method is particularly dangerous because it can be automated and requires minimal prerequisites beyond authenticated access to the affected endpoint.
Root Cause
The root cause of this vulnerability is the absence of proper input validation and sanitization in the sort parameter handling logic. Specifically:
- The DatasetDataManage service accepts arbitrary user input without validation
- No whitelist filtering is implemented to restrict allowed sort values
- The Order2SQLObj component directly concatenates user input into SQL ORDER BY clauses
- The CalciteProvider executes the resulting SQL without additional security checks
This represents a classic CWE-89 (SQL Injection) vulnerability pattern where untrusted data reaches a SQL interpreter without proper neutralization of special characters.
Attack Vector
The attack is conducted over the network, requiring the attacker to have authenticated access to the DataEase platform. Once authenticated, an attacker can craft malicious requests to the /de2api/datasetData/enumValueObj endpoint with specially crafted sort parameter values. The injected SQL payload is processed through the vulnerable code path and executed against the database.
The attack leverages time-based blind SQL injection techniques, allowing attackers to extract sensitive information character by character by observing response timing variations. This method enables complete database enumeration without requiring direct error messages or visible output from the injection point.
Detection Methods for CVE-2026-33084
Indicators of Compromise
- Unusual or excessive requests to the /de2api/datasetData/enumValueObj endpoint from single users or IP addresses
- HTTP requests containing SQL injection patterns in the sort parameter (e.g., SLEEP(), BENCHMARK(), WAITFOR, pg_sleep())
- Database query logs showing abnormal ORDER BY clause constructs or time-delay functions
- Increased database response times correlating with specific API requests
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block SQL injection patterns in request parameters
- Configure database activity monitoring to alert on suspicious query patterns, particularly those involving time-delay functions
- Deploy application-level logging to capture all requests to the vulnerable endpoint with full parameter details
- Use SIEM correlation rules to identify sequential requests with incrementing or iterating patterns typical of blind SQL injection automation
Monitoring Recommendations
- Enable detailed access logging for the DataEase API endpoints, particularly /de2api/datasetData/enumValueObj
- Monitor database query execution times for anomalous patterns that may indicate time-based injection attempts
- Track authentication events to identify compromised accounts being used for exploitation
- Implement alerting for any SQL errors or exceptions originating from the affected code paths
How to Mitigate CVE-2026-33084
Immediate Actions Required
- Upgrade DataEase to version 2.10.21 or later immediately
- Audit access logs for any signs of exploitation attempts prior to patching
- Review database contents for unauthorized modifications if exploitation is suspected
- Implement network-level restrictions to limit access to the DataEase API from trusted sources only
Patch Information
The vulnerability has been addressed in DataEase version 2.10.21. Organizations should upgrade to this version or later to remediate the SQL injection vulnerability. The fix implements proper input validation and whitelist filtering for the sort parameter, preventing arbitrary SQL injection through the ORDER BY clause.
For detailed patch information, refer to the GitHub Release v2.10.21 and the GitHub Security Advisory GHSA-r897-r9q8-3p2x.
Workarounds
- Implement a reverse proxy or WAF rule to filter requests containing SQL injection patterns in the sort parameter
- Restrict access to the /de2api/datasetData/enumValueObj endpoint to only trusted internal users until patching is complete
- Apply principle of least privilege to database accounts used by DataEase to limit potential impact of successful exploitation
- Monitor and alert on any requests to the vulnerable endpoint while awaiting patch deployment
# Example: WAF rule to block suspicious sort parameter patterns (adjust for your WAF solution)
# Block requests containing common SQL injection time-based patterns
SecRule ARGS:sort "@rx (SLEEP|BENCHMARK|WAITFOR|pg_sleep|DELAY)" \
"id:1001,phase:2,deny,status:403,msg:'Potential SQL Injection in sort parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
