CVE-2026-45320 Overview
CVE-2026-45320 is a SQL injection vulnerability in DataEase, an open source data visualization and analysis tool. Versions prior to 2.10.23 process dashboard SQL variables such as ${deptId} through SqlparserUtils.transFilter(). The final branch of this method returns raw user input for non-in and non-between operators. SubstitutedSql.replace("${var}", value) then splices the unsanitized value directly into dashboard SQL. Authenticated users who can view a dashboard can inject SQL statements against integrated datasources. The issue is fixed in version 2.10.23.
Critical Impact
Authenticated attackers with dashboard view permissions can execute arbitrary SQL against connected datasources, leading to data exfiltration and integrity loss across integrated databases.
Affected Products
- DataEase versions prior to 2.10.23
- DataEase dashboard component using SqlparserUtils.transFilter()
- Integrated datasources reachable through affected DataEase deployments
Discovery Timeline
- 2026-07-15 - CVE-2026-45320 published to NVD
- 2026-07-15 - Last updated in NVD database
Technical Details for CVE-2026-45320
Vulnerability Analysis
The vulnerability is a classic SQL injection flaw [CWE-89] in DataEase's dashboard variable handling. Dashboards support SQL variables using the ${varName} syntax. These variables are meant to be filtered and sanitized by SqlparserUtils.transFilter() before being substituted into query strings.
The filter method contains branches for common operators such as in and between. For all other operators, the final branch returns the raw user-supplied value without applying quoting, escaping, or type coercion. The unsanitized value flows into SubstitutedSql.replace("${var}", value), which performs naive string substitution against the dashboard SQL template.
An authenticated user with dashboard view access supplies a crafted variable value that closes the original SQL context and appends attacker-controlled statements. The resulting query executes against any datasource integrated with the affected dashboard.
Root Cause
The root cause is missing input sanitization in the fallback branch of SqlparserUtils.transFilter(). String concatenation is used to build final SQL instead of parameterized queries. Trust boundaries between authenticated dashboard viewers and backend datasources are not enforced at the SQL layer.
Attack Vector
Exploitation requires network access to DataEase and a valid account with permission to view a dashboard containing SQL variables. The attacker submits a manipulated filter value for a variable such as ${deptId} using an operator outside the in or between set. The malicious payload is spliced into the dashboard query and executed by the connected datasource.
// Security patch excerpt from DefaultChartHandler.java (v2.10.23)
import io.dataease.extensions.datasource.dto.DatasetTableFieldDTO;
import io.dataease.extensions.datasource.dto.DatasourceRequest;
import io.dataease.extensions.datasource.dto.DatasourceSchemaDTO;
+import io.dataease.extensions.datasource.dto.TableFieldWithValue;
import io.dataease.extensions.datasource.model.SQLMeta;
import io.dataease.extensions.datasource.provider.Provider;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
// YoyChartHandler.java - request assembly hardened via fillDatasourceRequest
var request = new DatasourceRequest();
- request.setIsCross(crossDs);
- request.setDsList(dsMap);
+ fillDatasourceRequest(request, crossDs, dsMap, sqlMap);
request.setQuery(originSql);
Source: GitHub Commit 163d510
Detection Methods for CVE-2026-45320
Indicators of Compromise
- Dashboard queries in DataEase logs containing SQL meta-characters such as ', --, /*, ;, or UNION SELECT inside variable positions.
- Unexpected datasource queries referencing system tables like information_schema.tables, pg_catalog, or sys.databases originating from the DataEase service account.
- Long or malformed values submitted for dashboard filter variables such as ${deptId} from authenticated user sessions.
Detection Strategies
- Enable verbose SQL logging on datasources integrated with DataEase and alert on queries whose structure deviates from templated dashboard SQL.
- Inspect HTTP requests to DataEase dashboard filter endpoints for operator values outside expected enums and for payload lengths exceeding filter norms.
- Correlate DataEase audit logs for dashboard views with downstream database query anomalies from the same time window.
Monitoring Recommendations
- Baseline the set of queries each dashboard normally issues and flag deviations in table access patterns or column projections.
- Monitor DataEase service accounts on datasources for privilege usage that exceeds read-only dashboard needs, such as writes or DDL.
- Track user activity for dashboard viewers who submit unusually varied filter values across short time windows.
How to Mitigate CVE-2026-45320
Immediate Actions Required
- Upgrade all DataEase instances to version 2.10.23 or later, which fixes the transFilter SQL injection path.
- Rotate credentials for any datasource account configured in DataEase if the platform was internet-facing or exposed to untrusted authenticated users.
- Audit dashboard definitions for use of SQL variables and review recent database logs for evidence of injection attempts.
Patch Information
The fix is available in DataEase v2.10.23. Details are documented in GitHub Security Advisory GHSA-8vp9-9hx4-6458 and the GitHub Release v2.10.23. The code change is available in GitHub Commit 163d510.
Workarounds
- Restrict dashboard view permissions to trusted users until the upgrade is complete.
- Configure DataEase datasource accounts with least-privilege, read-only credentials scoped to only the tables required for dashboards.
- Place DataEase behind a web application firewall with rules that block SQL meta-characters in dashboard filter parameters.
# Example: upgrade DataEase container to the patched release
docker pull dataease/dataease:v2.10.23
docker stop dataease && docker rm dataease
docker run -d --name dataease \
-p 8100:8100 \
-v /opt/dataease/data:/opt/dataease/data \
dataease/dataease:v2.10.23
# Verify version after restart
curl -s http://localhost:8100/de2api/system/version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

