Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45533

CVE-2026-45533: DataEase Path Traversal Vulnerability

CVE-2026-45533 is a path traversal flaw in DataEase that allows attackers to delete arbitrary server directories via the export-center bulk delete API. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-45533 Overview

CVE-2026-45533 is a path traversal vulnerability [CWE-22] affecting DataEase, an open source data visualization and analysis tool. Versions prior to 2.10.23 allow authenticated attackers to send ../ sequences to the export-center bulk delete API endpoint. The application forwards attacker-controlled identifiers directly to ExportCenterManage.delete, resulting in recursive deletion of arbitrary directories on the server. The issue is fixed in version 2.10.23.

Critical Impact

An authenticated attacker can recursively delete arbitrary server directories through export task cleanup, causing loss of application data and availability.

Affected Products

  • DataEase versions prior to 2.10.23
  • DataEase core-backend component (ExportCenterManage.java)
  • DataEase export-center bulk delete API endpoint

Discovery Timeline

  • 2026-07-15 - CVE CVE-2026-45533 published to NVD
  • 2026-07-15 - Last updated in NVD database

Technical Details for CVE-2026-45533

Vulnerability Analysis

The vulnerability resides in the DataEase export-center subsystem, which manages user-generated data export tasks. The bulk delete API endpoint accepts a list of export task identifiers from the client. These identifiers are passed directly to ExportCenterManage.delete without validation or normalization.

Because the delete routine constructs filesystem paths from the supplied identifiers, an attacker can inject ../ traversal sequences. The routine then performs a recursive filesystem deletion against the resolved path. This allows removal of directories entirely outside the intended export storage location.

Exploitation requires authenticated access with permissions to invoke the export-center delete API. Successful exploitation impacts integrity and availability of the host filesystem accessible to the DataEase process.

Root Cause

The root cause is missing input validation on user-controlled task identifiers used in filesystem operations [CWE-22]. The delete method in ExportCenterManage.java treats externally supplied identifiers as trusted path components. No canonicalization or containment check confirms that the resolved path remains within the designated export directory.

Attack Vector

An authenticated attacker sends a crafted request to the export-center bulk delete endpoint. The request body includes identifiers containing directory traversal sequences such as ../../var/lib/dataease/somedir. The server resolves the path relative to the export directory and recursively deletes the target location.

java
 import io.dataease.model.ExportTaskDTO;
 import io.dataease.system.manage.SysParameterManage;
 import io.dataease.utils.*;
+import io.dataease.visualization.dao.auto.entity.CoreStore;
 import io.dataease.visualization.dao.auto.entity.VisualizationWatermark;
 import io.dataease.visualization.dao.auto.mapper.VisualizationWatermarkMapper;
 import io.dataease.visualization.dao.ext.mapper.ExtDataVisualizationMapper;

Source: GitHub Commit dba08037 — the patch modifies core/core-backend/src/main/java/io/dataease/exportCenter/manage/ExportCenterManage.java to validate identifiers before deletion.

Detection Methods for CVE-2026-45533

Indicators of Compromise

  • HTTP requests to the DataEase export-center bulk delete API containing ../, ..%2f, or URL-encoded traversal sequences in the request body.
  • Unexpected recursive directory deletions on the DataEase host outside the configured export storage path.
  • Application error logs referencing ExportCenterManage.delete with unusual path arguments or FileNotFoundException on system directories.

Detection Strategies

  • Inspect DataEase application and reverse-proxy access logs for POST/DELETE requests to export-center endpoints containing traversal characters in JSON payloads.
  • Enable filesystem auditing on the DataEase host to record delete operations against paths outside the configured export directory.
  • Correlate authenticated user sessions performing bulk export deletions with subsequent file access failures elsewhere in the application.

Monitoring Recommendations

  • Alert on any request body to /exportCenter/ endpoints containing .. sequences after URL and JSON decoding.
  • Monitor deletion volume from the DataEase service account and flag sudden spikes tied to bulk delete operations.
  • Track version banners in DataEase deployments and alert on instances running versions below 2.10.23.

How to Mitigate CVE-2026-45533

Immediate Actions Required

  • Upgrade DataEase to version 2.10.23 or later, which contains the validation fix in ExportCenterManage.delete.
  • Restrict access to the DataEase management interface to trusted networks and audit accounts that hold export-center delete permissions.
  • Review filesystem state on affected hosts for missing directories that may indicate prior exploitation.

Patch Information

The fix is delivered in DataEase v2.10.23. See the GitHub Release v2.10.23 and the GitHub Security Advisory GHSA-mwr5-hw6p-cqmg. The corresponding code change is in GitHub Commit dba08037.

Workarounds

  • Remove or disable the export-center bulk delete endpoint via reverse-proxy rules until the upgrade is applied.
  • Deploy a Web Application Firewall (WAF) rule blocking requests to export-center paths that contain .., %2e%2e, or backslash sequences in the body.
  • Run the DataEase process under a dedicated, least-privileged OS account whose filesystem access is restricted to the DataEase installation and export directories.
bash
# Example nginx rule to block traversal payloads to export-center endpoints
location ~ ^/de2api/exportCenter/ {
    if ($request_body ~* "\.\.(/|%2f|\\)") {
        return 403;
    }
    proxy_pass http://dataease_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.