CVE-2026-45419 Overview
CVE-2026-45419 is a path traversal vulnerability [CWE-22] in DataEase, an open source data visualization and analysis tool. The flaw exists in the template save functionality, specifically the TemplateManageService#save and StaticResourceServer#saveFilesToServe methods invoked through the /de2api/templateManage/save endpoint. Attackers with authenticated access can supply crafted staticResource names and Base64-encoded content to write arbitrary files outside the intended directory. The root cause is unsafe filename extraction that only splits on the / character, ignoring traversal sequences. Versions prior to 2.10.23 are affected, and the maintainers released a fix in version 2.10.23.
Critical Impact
Authenticated attackers can achieve arbitrary file write across the filesystem, enabling remote code execution, configuration tampering, and complete integrity compromise of the DataEase host.
Affected Products
- DataEase versions prior to 2.10.23
- DataEase TemplateManageService component
- DataEase StaticResourceServer static resource handler
Discovery Timeline
- 2026-07-15 - CVE-2026-45419 published to NVD
- 2026-07-15 - Last updated in NVD database
- 2.10.23 - DataEase releases patched version resolving the path traversal issue
Technical Details for CVE-2026-45419
Vulnerability Analysis
DataEase exposes a template save API that accepts a JSON map of static resources. Each map entry contains a path key and Base64-encoded file content. The server iterates over these entries and writes them to the static resource directory. The vulnerability arises because the original code used path.lastIndexOf("/") to derive the filename, which does not sanitize path traversal sequences such as ../ or absolute paths embedded in the key. An authenticated attacker crafts a template payload with keys resolving outside the intended directory, causing the server to persist attacker-controlled bytes at arbitrary filesystem locations. Because the write occurs under the DataEase process account, attackers can drop web-executable content, overwrite JAR resources, or replace configuration files to achieve code execution.
Root Cause
The root cause is insufficient filename sanitization in StaticResourceServer.saveFilesToServe. The original implementation extracted the filename using only the last / character, treating anything before it as harmless. This ignores backslashes, encoded separators, and traversal tokens that survive into the destination path. The fix replaces the inline substring logic with a dedicated extractFileName(path) routine that normalizes and validates the resulting name before writing.
Attack Vector
Exploitation requires network access to the DataEase API and low-privilege authentication. An attacker sends a POST request to /de2api/templateManage/save containing a staticResource JSON object whose keys embed traversal sequences. The server decodes the Base64 content and writes it to the resolved path.
// Patched code from StaticResourceServer.java
// Source: https://github.com/dataease/dataease/commit/d34f413ef047bd275909d67310d200cbc8ae31ba
Map<String, String> resource = JsonUtil.parse(staticResource, Map.class);
for (Map.Entry<String, String> entry : resource.entrySet()) {
String path = entry.getKey();
- String fileName = path.substring(path.lastIndexOf("/") + 1, path.length());
+ String fileName = extractFileName(path);
saveSingleFileToServe(fileName, entry.getValue());
}
Source: GitHub Commit d34f413
Detection Methods for CVE-2026-45419
Indicators of Compromise
- Unexpected files written under the DataEase static resource directory or adjacent application paths with recent modification timestamps.
- HTTP POST requests to /de2api/templateManage/save containing staticResource map keys with ../, backslashes, or absolute paths.
- New or modified .jsp, .class, .jar, or configuration files under the DataEase installation directory that do not correspond to a known upgrade.
Detection Strategies
- Inspect application access logs for calls to /de2api/templateManage/save and correlate with the authenticated user identity and source IP.
- Enable request body logging on a reverse proxy in front of DataEase and alert on staticResource payloads containing traversal tokens.
- Perform filesystem integrity monitoring on the DataEase install root and static resource directories to detect out-of-band writes.
Monitoring Recommendations
- Alert on child process creation by the DataEase Java process, which may indicate execution of a dropped payload.
- Monitor outbound network connections from the DataEase host to unfamiliar destinations following template save activity.
- Track authentication events for template management roles and flag accounts that suddenly begin using the template save endpoint.
How to Mitigate CVE-2026-45419
Immediate Actions Required
- Upgrade DataEase to version 2.10.23 or later, which introduces the extractFileName sanitization routine.
- Restrict access to the /de2api/templateManage/save endpoint through network controls until patching is complete.
- Audit template management accounts and revoke unnecessary privileges to reduce the pool of users who can reach the vulnerable code path.
- Review the DataEase static resource directory for unauthorized files written before the patch was applied.
Patch Information
The fix is included in DataEase 2.10.23. Refer to the GitHub Security Advisory GHSA-83fh-fgh3-g9f9 and the GitHub Release v2.10.23 for release notes. The upstream commit is available at GitHub Commit d34f413.
Workarounds
- Block requests to /de2api/templateManage/save at the reverse proxy or Web Application Firewall until the upgrade is deployed.
- Add a WAF rule that rejects request bodies where JSON keys under staticResource contain .., /, or backslash sequences beyond a simple filename.
- Run DataEase under a least-privilege service account with write access limited to required directories to reduce blast radius.
# Example NGINX rule to block traversal patterns in template save requests
location /de2api/templateManage/save {
if ($request_body ~* "\.\./|\.\.\\\\") {
return 403;
}
proxy_pass http://dataease_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

