CVE-2026-33121 Overview
CVE-2026-33121 is a SQL injection vulnerability in DataEase, an open-source data visualization and analytics platform. The flaw affects versions 2.10.20 and below. The API datasource saving process constructs a Data Definition Language (DDL) statement by performing simple string replacement on the deTableName field from a Base64-encoded datasource configuration. The application does not sanitize or escape the table identifier. An authenticated attacker can break out of identifier quoting and inject arbitrary SQL commands, enabling error-based extraction of backend database information such as the MySQL version. The issue is fixed in version 2.10.21.
Critical Impact
Authenticated attackers can execute arbitrary SQL against the DataEase backend database, exposing confidentiality, integrity, and availability of the data layer.
Affected Products
- DataEase versions 2.10.20 and below
- DataEase API datasource saving endpoint
- Deployments using MySQL as the backend datasource
Discovery Timeline
- 2026-04-16 - CVE-2026-33121 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-33121
Vulnerability Analysis
The vulnerability resides in the API datasource saving workflow of DataEase. The platform accepts a Base64-encoded datasource configuration payload from authenticated users. After decoding, the deTableName field is consumed as part of a DDL statement built by simple string replacement. Because the platform does not validate, sanitize, or escape the table identifier, an attacker can craft a deTableName value that breaks out of the surrounding identifier quoting (such as backticks for MySQL). Once the quoting is escaped, the attacker's payload becomes part of the executed SQL statement. The result is an error-based SQL injection [CWE-89] that returns database metadata, such as the MySQL @@version, through SQL error responses.
Root Cause
The root cause is the use of string concatenation or String.replace-style substitution to embed user-controlled identifiers into a DDL template. Identifier-level parameter binding is not supported by standard prepared statements, so safe handling requires strict allow-list validation or proper escaping of backticks. DataEase implemented neither check before version 2.10.21.
Attack Vector
The attacker must hold valid credentials with permission to create or modify datasources. The attacker submits a datasource configuration where deTableName contains a payload that closes the identifier quote and appends injected SQL. Because the injected statement executes server-side, the attacker can use error-based techniques to exfiltrate backend information through returned exceptions.
No verified public exploit code is available. Technical specifics are documented in the GitHub Security Advisory GHSA-fg4m-q7ch-jqv5.
Detection Methods for CVE-2026-33121
Indicators of Compromise
- Datasource save requests containing Base64 payloads that decode to deTableName values with backtick, semicolon, or SQL keyword characters.
- Repeated MySQL syntax error entries in DataEase application logs originating from DDL statements.
- Unexpected DDL or metadata queries (@@version, information_schema) issued by the DataEase service account.
Detection Strategies
- Inspect HTTP traffic to the datasource saving API endpoint and decode Base64 payloads to evaluate deTableName content against an identifier allow-list (alphanumerics and underscore).
- Hunt application logs for SQL error stack traces correlated with authenticated datasource save actions.
- Alert on database accounts used by DataEase issuing queries that reference information_schema or version functions outside normal startup behavior.
Monitoring Recommendations
- Enable verbose audit logging on the backend MySQL instance used by DataEase to capture executed DDL statements.
- Track authentication events for low-privilege DataEase accounts that subsequently create or modify datasources.
- Forward DataEase application and database logs to a centralized analytics platform for correlation and retention.
How to Mitigate CVE-2026-33121
Immediate Actions Required
- Upgrade DataEase to version 2.10.21 or later as published in the GitHub Release v2.10.21.
- Audit DataEase user accounts and remove unused or excessively privileged identities that can save datasources.
- Review recent datasource save activity for suspicious deTableName values.
Patch Information
The maintainers fixed the issue in DataEase 2.10.21. Release notes and source changes are available in the GitHub Release v2.10.21. Additional fix context is provided in the GitHub Security Advisory GHSA-fg4m-q7ch-jqv5.
Workarounds
- Restrict access to the DataEase web interface using network controls and a reverse proxy until patching is complete.
- Limit the database privileges of the backend account used by DataEase to the minimum required, preventing schema-wide reads if injection occurs.
- Place a Web Application Firewall (WAF) rule in front of the datasource saving endpoint to reject payloads containing backtick or semicolon characters in decoded fields.
# Upgrade DataEase using Docker Compose
docker compose pull
docker compose down
# Update image tag to v2.10.21 in docker-compose.yml
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

