CVE-2026-33121 Overview
CVE-2026-33121 is a SQL injection vulnerability affecting DataEase, an open-source data visualization and analytics platform. The vulnerability exists in the API datasource saving process where the deTableName field from a Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can exploit this flaw to inject arbitrary SQL commands by crafting a malicious deTableName value that breaks out of identifier quoting, enabling error-based SQL injection that can extract sensitive database information such as the MySQL version.
Critical Impact
Authenticated attackers can extract sensitive database information and potentially execute arbitrary SQL commands through the unsanitized datasource configuration API endpoint.
Affected Products
- DataEase versions 2.10.20 and below
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-33121 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-33121
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) stems from improper input validation in DataEase's datasource configuration handling. When a user saves a datasource configuration through the API, the application accepts a Base64-encoded configuration object containing a deTableName field. This field is directly incorporated into a DDL (Data Definition Language) statement using simple string concatenation or replacement, without proper parameterization or escaping.
The vulnerability is particularly concerning because it requires only standard authentication to exploit, and the attack can be conducted remotely over the network. While the attacker must have valid credentials, many DataEase deployments may have shared accounts or loosely controlled access, making this a realistic attack vector.
Root Cause
The root cause of CVE-2026-33121 is the use of unsanitized user input in SQL statement construction. The deTableName field from the Base64-encoded datasource configuration is directly interpolated into DDL statements without any validation, escaping, or use of parameterized queries. This allows attackers to break out of the intended SQL context by injecting special characters and SQL syntax that terminates the original query and appends malicious commands.
Attack Vector
The attack is conducted over the network by an authenticated user who submits a specially crafted API request to the datasource saving endpoint. The attacker Base64-encodes a configuration payload where the deTableName field contains SQL injection syntax designed to escape the identifier quoting context.
For example, an attacker could construct a table name that includes SQL metacharacters to close the current statement and inject additional SQL commands. Error-based extraction techniques allow the attacker to retrieve database metadata, user credentials, or other sensitive information by forcing database errors that reveal queried data in error messages.
The attack flow involves:
- Authenticating to the DataEase platform with valid credentials
- Crafting a malicious datasource configuration with an injected deTableName value
- Base64-encoding the configuration payload
- Submitting the payload to the datasource saving API endpoint
- Observing error messages or application responses to extract database information
Detection Methods for CVE-2026-33121
Indicators of Compromise
- Unusual or malformed Base64-encoded payloads in datasource API requests containing SQL syntax characters
- Database error messages appearing in application logs that reference syntax errors or unexpected SQL constructs
- Repeated failed datasource save attempts followed by successful extractions
- Access logs showing unusual patterns of requests to the datasource configuration endpoints
Detection Strategies
- Monitor application and web server logs for requests to datasource API endpoints containing suspicious characters after Base64 decoding
- Implement database query logging and alert on unusual DDL statements or error-based extraction patterns
- Deploy web application firewall (WAF) rules to detect common SQL injection patterns in request bodies
- Use SentinelOne's endpoint detection capabilities to identify post-exploitation activity following successful SQL injection
Monitoring Recommendations
- Enable detailed logging for all datasource configuration API calls
- Configure database audit logging to capture all DDL statement execution and errors
- Set up alerts for repeated authentication attempts followed by datasource API access
- Monitor for data exfiltration indicators following database access anomalies
How to Mitigate CVE-2026-33121
Immediate Actions Required
- Upgrade DataEase to version 2.10.21 or later immediately
- Review access logs for any suspicious datasource API activity prior to patching
- Audit database logs for evidence of SQL injection attempts or unauthorized data access
- Restrict network access to the DataEase application to trusted users and networks until patching is complete
Patch Information
The DataEase development team has addressed this vulnerability in version 2.10.21. Organizations should upgrade to this version or later to remediate CVE-2026-33121. The fix implements proper input sanitization and escaping for the deTableName field, preventing SQL injection through this attack vector.
For additional details, refer to the GitHub Release v2.10.21 and the GitHub Security Advisory GHSA-fg4m-q7ch-jqv5.
Workarounds
- Implement a web application firewall (WAF) with rules to block SQL injection patterns in API request bodies as a temporary measure
- Restrict access to the datasource configuration API to only highly trusted administrators
- Enable additional authentication controls such as MFA for accounts with datasource management privileges
- Place DataEase behind a reverse proxy with request inspection capabilities to filter malicious payloads
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
