CVE-2026-45534 Overview
CVE-2026-45534 is a remote code execution vulnerability in DataEase, an open source data visualization and analysis tool. Versions prior to 2.10.23 allow attackers to trigger reflection-based code execution during a normal Redshift JDBC connection. The flaw resides in how the Amazon Redshift JDBC driver loads an rsjdbc.ini configuration file from the path returned by System.getProperty("java.io.tmpdir"). An attacker who can influence that configuration file can set socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext, causing the driver to instantiate an attacker-controlled Spring context during connection. The vulnerability is classified under [CWE-94] Improper Control of Generation of Code.
Critical Impact
A low-privileged DataEase user configuring a Redshift datasource can achieve remote code execution on the DataEase backend host through a reflection-based chain in the Redshift JDBC driver.
Affected Products
- DataEase versions prior to 2.10.23
- DataEase Redshift datasource connector (io.dataease.datasource.type.Redshift)
- Deployments bundling the Amazon Redshift JDBC driver (com.amazon.redshift.Driver)
Discovery Timeline
- 2026-07-15 - CVE-2026-45534 published to NVD
- 2026-07-16 - Last updated in NVD database
- v2.10.23 - DataEase releases patched version on GitHub
Technical Details for CVE-2026-45534
Vulnerability Analysis
The vulnerability chains together configuration loading, reflection, and Spring context instantiation to reach arbitrary code execution. When a DataEase user configures a Redshift datasource, io.dataease.datasource.type.Redshift invokes the Amazon Redshift JDBC driver to establish a connection. During connection, com.amazon.redshift.Driver#connect calls com.amazon.redshift.Driver#getJdbcIniFile, which resolves the rsjdbc.ini path from System.getProperty("java.io.tmpdir"). If an attacker has placed a crafted rsjdbc.ini in that directory, the driver reads attacker-controlled properties. The exploitation pivot is the socketFactory property, which is passed to com.amazon.redshift.util.ObjectFactory#instantiate and reflectively loaded. Setting it to org.springframework.context.support.FileSystemXmlApplicationContext causes Spring to parse an attacker-supplied XML bean definition, resulting in arbitrary Java code execution inside the DataEase process.
Root Cause
The root cause is the Redshift JDBC driver trusting configuration loaded from system-writable locations combined with unrestricted reflective instantiation of the socketFactory class. DataEase did not override the JVM system properties (java.io.tmpdir, user.home, AMAZON_REDSHIFT_JDBC_INI_FILE) that control where the driver searches for rsjdbc.ini, leaving the lookup path attacker-influenceable in multi-tenant or shared filesystem scenarios.
Attack Vector
An authenticated attacker with permission to create or edit a Redshift datasource submits a JDBC connection. If the attacker can write rsjdbc.ini into the temporary directory used by the DataEase JVM, the connection attempt triggers reflective loading of FileSystemXmlApplicationContext with an attacker-controlled XML path. The Spring context then defines beans that execute arbitrary commands within the DataEase backend.
// Patch: core/core-backend/src/main/java/io/dataease/CoreApplication.java
public class CoreApplication {
public static void main(String[] args) {
System.setProperty("AMAZON_REDSHIFT_JDBC_INI_FILE", "null");
System.setProperty("user.home", "null");
System.setProperty("java.io.tmpdir", "null");
SpringApplication context = new SpringApplication(CoreApplication.class);
context.addInitializers(new EhCacheStartListener());
context.run(args);
}
}
Source: DataEase commit 3e58149. The patch neutralizes the three system properties the Redshift driver consults when resolving rsjdbc.ini, preventing the driver from loading attacker-controlled configuration.
Detection Methods for CVE-2026-45534
Indicators of Compromise
- Presence of an rsjdbc.ini file in the DataEase JVM temporary directory or in the process user's home directory.
- Unexpected outbound network connections or child processes spawned by the DataEase Java process shortly after a Redshift datasource is saved or tested.
- XML files referenced by FileSystemXmlApplicationContext appearing on disk alongside rsjdbc.ini.
Detection Strategies
- Inspect Redshift datasource entries in DataEase for JDBC URLs or option strings that reference unusual socketFactory values.
- Audit process telemetry for the DataEase Java process loading org.springframework.context.support.FileSystemXmlApplicationContext outside normal Spring startup.
- Alert on Java runtime reads of rsjdbc.ini from world-writable directories using file integrity monitoring.
Monitoring Recommendations
- Log all datasource creation and edit events in DataEase, including the acting user and datasource type.
- Monitor child processes of the DataEase JVM for shells (/bin/sh, bash, cmd.exe) or scripting interpreters.
- Forward JVM and application logs to a centralized platform so reflective class loading anomalies can be correlated with datasource actions.
How to Mitigate CVE-2026-45534
Immediate Actions Required
- Upgrade DataEase to version 2.10.23 or later, which sets AMAZON_REDSHIFT_JDBC_INI_FILE, user.home, and java.io.tmpdir to null at startup.
- Restrict which DataEase roles are permitted to create or modify datasource connections, particularly Redshift datasources.
- Remove any residual rsjdbc.ini files from the DataEase host temporary directory and the process user's home directory.
Patch Information
The fix is released in DataEase v2.10.23 and detailed in GitHub Security Advisory GHSA-cv4c-8rpv-2x97. The corresponding source change is in commit 3e58149, which overrides the JVM system properties consulted by the Redshift JDBC driver.
Workarounds
- Set the JVM properties -DAMAZON_REDSHIFT_JDBC_INI_FILE=null, -Duser.home=null, and -Djava.io.tmpdir=null on DataEase startup if upgrading is not immediately possible.
- Run the DataEase process under a dedicated user with an unwritable temporary directory to block placement of rsjdbc.ini.
- Disable the Redshift datasource type in DataEase until the patched version is deployed.
# Startup override until upgrade to 2.10.23 is completed
java \
-DAMAZON_REDSHIFT_JDBC_INI_FILE=null \
-Duser.home=null \
-Djava.io.tmpdir=null \
-jar dataease-core-backend.jar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

