Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45417

CVE-2026-45417: DataEase SQL Injection Vulnerability

CVE-2026-45417 is a SQL injection flaw in DataEase that affects datasource connection checks for DB2, SQL Server, and PostgreSQL. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-45417 Overview

CVE-2026-45417 is a SQL injection vulnerability [CWE-89] in DataEase, an open source data visualization and analysis tool. Versions prior to 2.10.23 concatenate the configuration.getSchema() value directly into getTablesSql inside io.dataease.datasource.provider.CalciteProvider#checkStatus. The resulting SQL statement is then passed to executeQuery. Authenticated attackers can inject malicious SQL through the datasource connection status check against DB2, SQL Server, PostgreSQL, and other supported backends. The maintainers fixed the flaw in version 2.10.23.

Critical Impact

Authenticated attackers can inject arbitrary SQL into the backing database through the datasource connection check, leading to data disclosure or manipulation across DB2, SQL Server, PostgreSQL, and other supported datasources.

Affected Products

  • DataEase versions prior to 2.10.23
  • DataEase deployments connecting to DB2, SQL Server, or PostgreSQL datasources
  • Any DataEase instance exposing the datasource connection status check endpoint

Discovery Timeline

  • 2026-07-15 - CVE-2026-45417 published to NVD
  • 2026-07-15 - Last updated in NVD database

Technical Details for CVE-2026-45417

Vulnerability Analysis

DataEase performs a connection status check whenever a user configures or validates a datasource. The check runs inside io.dataease.datasource.provider.CalciteProvider#checkStatus. This method builds getTablesSql by concatenating the value returned from configuration.getSchema() directly into a SQL statement. The concatenated statement is then executed with executeQuery. Because the schema value is user-controllable through the datasource configuration payload, an authenticated attacker can inject additional SQL syntax into the query. The injection reaches multiple database dialects, including DB2, SQL Server, and PostgreSQL. Successful exploitation lets attackers read arbitrary tables, modify data, or run vendor-specific functions available to the datasource account.

Root Cause

The root cause is unsafe string concatenation of a client-supplied schema identifier into a SQL statement. The code path does not apply parameter binding, identifier quoting, or an allow list on configuration.getSchema(). Any control characters accepted by the target database driver are executed verbatim. This is a classic CWE-89 pattern applied to a supposedly trusted configuration field.

Attack Vector

Exploitation requires network access to DataEase and low-privilege authenticated access sufficient to submit or trigger a datasource connection check. The attacker supplies a crafted schema value inside the datasource configuration, then invokes the status check. DataEase concatenates the payload into getTablesSql and executes it against the configured backend. The database account tied to the datasource determines the reach of the injection. No user interaction beyond the attacker's own request is required. See the GitHub Security Advisory GHSA-rg6c-r9mv-39fr and the upstream commit for the fix details.

Detection Methods for CVE-2026-45417

Indicators of Compromise

  • Datasource configuration entries where the schema field contains SQL metacharacters such as ;, --, /*, or UNION.
  • Application logs from DataEase showing CalciteProvider#checkStatus errors or unexpected executeQuery failures.
  • Backend database audit logs recording queries against information_schema, sys.tables, or pg_catalog originating from the DataEase service account outside normal reporting workflows.

Detection Strategies

  • Inspect the DataEase datasource repository for stored schema values that deviate from expected identifier patterns.
  • Enable database-side query logging for accounts used by DataEase and alert on statements that do not match the getTablesSql template.
  • Monitor HTTP requests to DataEase datasource management endpoints for schema fields containing whitespace, quote characters, or SQL keywords.

Monitoring Recommendations

  • Forward DataEase application logs and backend database audit logs to a centralized log platform for correlation.
  • Alert on repeated datasource status check failures from the same authenticated user within a short window.
  • Track version banners of DataEase instances and flag any deployment reporting a version earlier than 2.10.23.

How to Mitigate CVE-2026-45417

Immediate Actions Required

  • Upgrade DataEase to version 2.10.23 or later using the v2.10.23 release.
  • Restrict who can create or edit datasources to a small set of trusted administrators.
  • Rotate credentials used by DataEase datasources and grant those accounts only the minimum privileges required for reporting.

Patch Information

The fix is shipped in DataEase 2.10.23. The patch commit f1c7204da1787ef812ee23cd3d51a1824126c1fb removes unsafe concatenation of the schema value in CalciteProvider#checkStatus so that the value can no longer alter query semantics. Administrators should apply this upgrade rather than attempt in-place code changes.

Workarounds

  • Place DataEase behind an authenticated reverse proxy and block anonymous or self-service account creation until patched.
  • Revoke write access to datasource configuration for non-administrative roles.
  • Configure database accounts used by DataEase as read-only against a dedicated reporting schema to limit the blast radius of any injection.
bash
# Verify the running DataEase version and upgrade if below 2.10.23
docker exec dataease cat /opt/dataease2.0/conf/version || true
docker pull registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.23
docker compose -f /opt/dataease2.0/docker-compose.yml up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.