Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45535

CVE-2026-45535: DataEase Stored SQL Injection Vulnerability

CVE-2026-45535 is a stored SQL injection vulnerability in DataEase affecting versions before 2.10.23. Attackers can inject malicious SQL through dataset variables. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-45535 Overview

CVE-2026-45535 is a stored SQL injection vulnerability in DataEase, an open source data visualization and analysis platform. Versions prior to 2.10.23 fail to sanitize attacker-controlled defaultValue entries in SQL-type dataset variables. The SqlparserUtils.handleVariableDefaultValue() method uses String.replace() to inject ${var} values directly into SQL statements without parameterization or escaping. Any authenticated user with dataset read permission triggers execution of the injected SQL when accessing the dataset. The vulnerability is fixed in DataEase 2.10.23.

Critical Impact

Authenticated attackers can execute arbitrary SQL against the DataEase backend database, exposing dataset content, credentials, and other stored records to any user who opens the affected dataset.

Affected Products

  • DataEase versions prior to 2.10.23
  • Open source data visualization and analysis tool distributed via the dataease/dataease GitHub repository
  • Deployments exposing SQL-type datasets to users with dataset read permission

Discovery Timeline

  • 2026-07-15 - CVE-2026-45535 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-45535

Vulnerability Analysis

The flaw is a stored SQL injection [CWE-89] in DataEase's SQL dataset variable handling. DataEase allows dataset creators to define SQL variables using the ${var} syntax, each with a configurable defaultValue. When a dataset is executed, SqlparserUtils.handleVariableDefaultValue() substitutes the ${var} token with the stored default value using String.replace(). Because the substitution is a raw string concatenation, an attacker who can save a dataset can embed arbitrary SQL clauses inside the defaultValue field. The injected payload is persisted server-side and executes every time another user with dataset read permission opens the dataset, making this a stored injection rather than a reflected one.

Root Cause

The root cause is missing parameterization. The pre-patch code path appended defaultsSqlVariableDetail.getDefaultValue() directly to the sqlBuilder without escaping quotes, comment sequences, or SQL operators. No prepared statement binding or input validation separated user-supplied variable data from the surrounding SQL text.

Attack Vector

An authenticated user with permission to create or edit SQL-type datasets stores a malicious defaultValue such as 1; DROP TABLE users-- or a UNION-based data extraction payload. When another user with dataset read permission requests the dataset, the DataEase backend expands the variable and executes the combined SQL against the configured data source. The attack requires network access to the DataEase web interface and low-privileged authenticated access.

java
// Vulnerable pre-patch flow vs. fixed flow in SqlparserUtils.java
// Source: https://github.com/dataease/dataease/commit/22930a493d900fe3d8084b3dd4c0125abdb2a847
} else {
    if (defaultsSqlVariableDetail != null && StringUtils.isNotEmpty(defaultsSqlVariableDetail.getDefaultValue())) {
        if (!isEdit && isFromDataSet && defaultsSqlVariableDetail.getDefaultValueScope().equals(SqlVariableDetails.DefaultValueScope.ALLSCOPE)) {
-            sqlBuilder.append(defaultsSqlVariableDetail.getDefaultValue());
-            lastIndex = matcher.end();
+            PreparedSqlFragment preparedSqlFragment = buildPreparedSqlFragmentForDefaultValue(defaultsSqlVariableDetail);
+            boolean quoted = isQuotedVariable(sql, matcher.start(), matcher.end());
+            if (quoted) {
+                sqlBuilder.setLength(sqlBuilder.length() - 1);
+            }
+            sqlBuilder.append(preparedSqlFragment.replacement());
+            lastIndex = quoted ? matcher.end() + 1 : matcher.end();
+            tableFieldWithValues.addAll(preparedSqlFragment.tableFieldWithValues());
            replaced = true;
        }
        if (isEdit) {
-            sqlBuilder.append(defaultsSqlVariableDetail.getDefaultValue());
-            lastIndex = matcher.end();
+            PreparedSqlFragment preparedSqlFragment = buildPreparedSqlFragmentForDefaultValue(defaultsSqlVariableDetail);
+            boolean quoted = isQuotedVariable(sql, matcher.start(), matcher.end());
+            if (quoted) {
+                sqlBuilder.setLength(sqlBuilder.length() - 1);
+            }
+            sqlBuilder.append(preparedSqlFragment.replacement());
+            lastIndex = quoted ? matcher.end() + 1 : matcher.end();
+            tableFieldWithValues.addAll(preparedSqlFragment.tableFieldWithValues());
            replaced = true;
        }
    }

The patch replaces the raw string append with buildPreparedSqlFragmentForDefaultValue(), which produces a PreparedSqlFragment that binds the value as a parameter and tracks it in tableFieldWithValues. Identical changes were applied to both SqlparserUtils.java and DeSqlparserUtils.java.

Detection Methods for CVE-2026-45535

Indicators of Compromise

  • Dataset defaultValue fields containing SQL metacharacters such as single quotes, semicolons, UNION, --, or /* comment markers.
  • Backend database logs showing unexpected SELECT, UNION, INSERT, or DROP statements originating from DataEase service accounts.
  • Anomalous dataset query volume or execution time spikes when specific SQL-type datasets are opened.

Detection Strategies

  • Audit the DataEase dataset metadata store for SQL variable defaultValue entries and flag any values that are not simple literals matching the expected column type.
  • Enable full SQL query logging on the data sources that DataEase connects to and correlate query text with the DataEase user session identifiers.
  • Compare DataEase application logs against database audit logs to identify SQL statements that deviate from the templated dataset SQL.

Monitoring Recommendations

  • Monitor the dataease/dataease release feed and internal deployments for versions below 2.10.23.
  • Alert on new or modified SQL datasets created by low-privileged users, particularly those defining SQL variables with default values.
  • Track outbound query patterns from DataEase to detect data exfiltration attempts through UNION-based injection.

How to Mitigate CVE-2026-45535

Immediate Actions Required

  • Upgrade all DataEase instances to version 2.10.23 or later, which contains the parameterized fix in commit 22930a4.
  • Review existing SQL-type datasets and inspect every SQL variable defaultValue for injected clauses before permitting further use.
  • Restrict dataset creation and editing permissions to trusted users while the upgrade is being rolled out.

Patch Information

The fix is published in DataEase Release v2.10.23 and implemented in the security patch commit 22930a4. The vendor advisory is available in GitHub Security Advisory GHSA-pv23-p64m-4pxf. The patch introduces buildPreparedSqlFragmentForDefaultValue() and isQuotedVariable() helpers that convert defaultValue substitution into prepared statement parameters in both SqlparserUtils.java and DeSqlparserUtils.java.

Workarounds

  • Revoke dataset creation and edit permissions from non-administrative accounts until the upgrade to 2.10.23 is complete.
  • Configure the backend data source account used by DataEase with least privilege, limiting it to SELECT on required tables to reduce injection impact.
  • Place DataEase behind an authenticated reverse proxy and inspect dataset save requests for suspicious payloads in defaultValue parameters.
bash
# Upgrade DataEase to the patched release
docker pull dataease/dataease:v2.10.23
docker stop dataease && docker rm dataease
docker run -d --name dataease \
  -p 8100:8100 \
  -v /opt/dataease/data:/opt/dataease/data \
  dataease/dataease:v2.10.23

# Verify installed version
curl -s http://localhost:8100/de2api/sysParameter/version | grep 2.10.23

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.