CVE-2026-33122 Overview
DataEase is an open-source data visualization and analytics platform used for building dashboards and analyzing data. A SQL injection vulnerability has been identified in versions 2.10.20 and below affecting the API datasource update process. When a new table definition is added during a datasource update via the /de2api/datasource/update endpoint, the deTableName field from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information.
Critical Impact
Authenticated attackers can execute arbitrary SQL commands to extract sensitive database information, potentially compromising confidential data stored within the DataEase platform.
Affected Products
- DataEase versions 2.10.20 and below
- DataEase open-source data visualization platform deployments
- Self-hosted DataEase instances with datasource management enabled
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-33122 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-33122
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), a critical web application security flaw that allows attackers to interfere with the queries an application makes to its database. The vulnerability exists in the datasource update functionality of DataEase, specifically in how user-supplied table names are processed.
The attack requires authentication but can be exploited over the network without any user interaction. When successful, an attacker gains the ability to read and potentially modify database contents, though no availability impact has been identified. The error-based SQL injection technique allows attackers to extract database information by observing error messages returned by the application.
Root Cause
The root cause of this vulnerability lies in the improper handling of the deTableName field within the DatasourceSyncManage.createEngineTable function. The application directly incorporates user-supplied input into a CREATE TABLE SQL statement template without implementing proper input sanitization or identifier escaping mechanisms. This lack of parameterized queries or input validation allows malicious SQL syntax to be injected and executed by the database engine.
Attack Vector
The attack vector is network-based, requiring an authenticated user to submit a specially crafted API request to the /de2api/datasource/update endpoint. The attacker must craft a malicious deTableName value that breaks out of the expected identifier quoting context within the CREATE TABLE statement. By manipulating the table name field, the attacker can inject additional SQL commands that execute alongside the intended query.
The exploitation technique leverages error-based SQL injection, where the attacker extracts database information through carefully crafted queries that cause the database to return meaningful error messages. This method allows for data exfiltration even when direct query results are not visible to the attacker.
Detection Methods for CVE-2026-33122
Indicators of Compromise
- Unusual or malformed table names in datasource update API requests containing SQL syntax characters such as single quotes, semicolons, or SQL keywords
- Error messages in application logs indicating SQL syntax errors during datasource operations
- Unexpected database queries or table creation attempts with suspicious naming patterns
- Anomalous activity from authenticated user accounts targeting the /de2api/datasource/update endpoint
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API request parameters
- Monitor application logs for SQL syntax errors and unusual database operations related to datasource management
- Deploy runtime application self-protection (RASP) solutions to detect and block SQL injection attempts
- Configure database activity monitoring to alert on suspicious query patterns or unauthorized data access
Monitoring Recommendations
- Enable detailed logging for all datasource-related API endpoints, particularly /de2api/datasource/update
- Set up alerts for multiple failed or error-generating datasource update requests from the same user session
- Monitor database audit logs for unexpected CREATE TABLE statements or SQL syntax anomalies
- Track user behavior patterns to identify authenticated accounts exhibiting unusual datasource management activity
How to Mitigate CVE-2026-33122
Immediate Actions Required
- Upgrade DataEase to version 2.10.21 or later immediately
- Review application logs for evidence of exploitation attempts targeting the datasource update endpoint
- Audit recent datasource update activities for suspicious table names or configurations
- Consider temporarily restricting access to datasource management features until patching is complete
Patch Information
DataEase has released version 2.10.21 which addresses this SQL injection vulnerability. The fix implements proper sanitization and identifier escaping for the deTableName field before it is used in SQL statements. Organizations should prioritize upgrading to this patched version.
For detailed patch information, refer to the GitHub Release v2.10.21 and the GitHub Security Advisory GHSA-28vg-3hv7-w92f.
Workarounds
- Implement network-level access controls to restrict access to the DataEase API endpoints to trusted users and networks only
- Deploy a Web Application Firewall (WAF) with SQL injection detection rules to filter malicious requests before they reach the application
- Limit datasource management permissions to only essential administrative users
- Monitor and audit all datasource update operations until the patch can be applied
# Example: Restrict access to DataEase API using iptables (temporary mitigation)
# Allow only trusted IP ranges to access the DataEase application port
iptables -A INPUT -p tcp --dport 8100 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8100 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
