CVE-2026-45533 Overview
CVE-2026-45533 is a path traversal vulnerability [CWE-22] affecting DataEase, an open source data visualization and analysis tool. Versions prior to 2.10.23 allow authenticated attackers to send ../ sequences to the export-center bulk delete API endpoint. The application forwards attacker-controlled identifiers directly to ExportCenterManage.delete, resulting in recursive deletion of arbitrary directories on the server. The issue is fixed in version 2.10.23.
Critical Impact
An authenticated attacker can recursively delete arbitrary server directories through export task cleanup, causing loss of application data and availability.
Affected Products
- DataEase versions prior to 2.10.23
- DataEase core-backend component (ExportCenterManage.java)
- DataEase export-center bulk delete API endpoint
Discovery Timeline
- 2026-07-15 - CVE CVE-2026-45533 published to NVD
- 2026-07-15 - Last updated in NVD database
Technical Details for CVE-2026-45533
Vulnerability Analysis
The vulnerability resides in the DataEase export-center subsystem, which manages user-generated data export tasks. The bulk delete API endpoint accepts a list of export task identifiers from the client. These identifiers are passed directly to ExportCenterManage.delete without validation or normalization.
Because the delete routine constructs filesystem paths from the supplied identifiers, an attacker can inject ../ traversal sequences. The routine then performs a recursive filesystem deletion against the resolved path. This allows removal of directories entirely outside the intended export storage location.
Exploitation requires authenticated access with permissions to invoke the export-center delete API. Successful exploitation impacts integrity and availability of the host filesystem accessible to the DataEase process.
Root Cause
The root cause is missing input validation on user-controlled task identifiers used in filesystem operations [CWE-22]. The delete method in ExportCenterManage.java treats externally supplied identifiers as trusted path components. No canonicalization or containment check confirms that the resolved path remains within the designated export directory.
Attack Vector
An authenticated attacker sends a crafted request to the export-center bulk delete endpoint. The request body includes identifiers containing directory traversal sequences such as ../../var/lib/dataease/somedir. The server resolves the path relative to the export directory and recursively deletes the target location.
import io.dataease.model.ExportTaskDTO;
import io.dataease.system.manage.SysParameterManage;
import io.dataease.utils.*;
+import io.dataease.visualization.dao.auto.entity.CoreStore;
import io.dataease.visualization.dao.auto.entity.VisualizationWatermark;
import io.dataease.visualization.dao.auto.mapper.VisualizationWatermarkMapper;
import io.dataease.visualization.dao.ext.mapper.ExtDataVisualizationMapper;
Source: GitHub Commit dba08037 — the patch modifies core/core-backend/src/main/java/io/dataease/exportCenter/manage/ExportCenterManage.java to validate identifiers before deletion.
Detection Methods for CVE-2026-45533
Indicators of Compromise
- HTTP requests to the DataEase export-center bulk delete API containing ../, ..%2f, or URL-encoded traversal sequences in the request body.
- Unexpected recursive directory deletions on the DataEase host outside the configured export storage path.
- Application error logs referencing ExportCenterManage.delete with unusual path arguments or FileNotFoundException on system directories.
Detection Strategies
- Inspect DataEase application and reverse-proxy access logs for POST/DELETE requests to export-center endpoints containing traversal characters in JSON payloads.
- Enable filesystem auditing on the DataEase host to record delete operations against paths outside the configured export directory.
- Correlate authenticated user sessions performing bulk export deletions with subsequent file access failures elsewhere in the application.
Monitoring Recommendations
- Alert on any request body to /exportCenter/ endpoints containing .. sequences after URL and JSON decoding.
- Monitor deletion volume from the DataEase service account and flag sudden spikes tied to bulk delete operations.
- Track version banners in DataEase deployments and alert on instances running versions below 2.10.23.
How to Mitigate CVE-2026-45533
Immediate Actions Required
- Upgrade DataEase to version 2.10.23 or later, which contains the validation fix in ExportCenterManage.delete.
- Restrict access to the DataEase management interface to trusted networks and audit accounts that hold export-center delete permissions.
- Review filesystem state on affected hosts for missing directories that may indicate prior exploitation.
Patch Information
The fix is delivered in DataEase v2.10.23. See the GitHub Release v2.10.23 and the GitHub Security Advisory GHSA-mwr5-hw6p-cqmg. The corresponding code change is in GitHub Commit dba08037.
Workarounds
- Remove or disable the export-center bulk delete endpoint via reverse-proxy rules until the upgrade is applied.
- Deploy a Web Application Firewall (WAF) rule blocking requests to export-center paths that contain .., %2e%2e, or backslash sequences in the body.
- Run the DataEase process under a dedicated, least-privileged OS account whose filesystem access is restricted to the DataEase installation and export directories.
# Example nginx rule to block traversal payloads to export-center endpoints
location ~ ^/de2api/exportCenter/ {
if ($request_body ~* "\.\.(/|%2f|\\)") {
return 403;
}
proxy_pass http://dataease_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

