CVE-2026-50030 Overview
CVE-2026-50030 is a SQL injection vulnerability in DataEase, an open source data visualization and analysis tool. The flaw exists in the SQL preview functionality exposed through the /de2api/datasetData/previewSql endpoint. The DatasetDataApi.previewSql and previewSqlCheck handlers accept a PreviewSqlDTO payload containing raw SQL, which DatasetDataManage.previewSql stores in datasourceRequest.query. CalciteProvider.fetchResultField then executes the query via prepareStatement(...).executeQuery(). Authenticated attackers can query arbitrary readable datasource tables and receive the results in preview responses. The issue affects all versions prior to 2.10.23 and is classified under [CWE-89].
Critical Impact
Authenticated attackers can execute arbitrary SELECT statements against connected datasources, exposing any table readable by the configured database user.
Affected Products
- DataEase versions prior to 2.10.23
- DataEase open source data visualization platform
- Deployments exposing the /de2api/datasetData/previewSql endpoint
Discovery Timeline
- 2026-07-15 - CVE-2026-50030 published to NVD
- 2026-07-15 - Last updated in NVD database
Technical Details for CVE-2026-50030
Vulnerability Analysis
DataEase exposes a SQL preview API intended to help dataset authors validate queries before saving them. The endpoint accepts three parameters via PreviewSqlDTO: sql, datasourceId, and isCross. The backend decodes the supplied SQL and passes it directly into datasourceRequest.query without confining the statement to the dataset scope or applying parameterization for embedded variable defaults.
Execution occurs in CalciteProvider.fetchResultField, which calls prepareStatement(...).executeQuery() on the attacker-controlled string. Because the SQL body itself is user-supplied rather than parameterized, an authenticated user with dataset preview access can read any table the underlying datasource account can access. This bypasses the dataset-level access controls that would normally restrict which columns and rows users can view.
Root Cause
The vulnerability stems from inserting default variable values into SQL text by string concatenation. In SqlparserUtils.java and DeSqlparserUtils.java, the pre-patch code executed sqlBuilder.append(defaultsSqlVariableDetail.getDefaultValue()), embedding raw values into the statement. Combined with an API surface that accepts full SQL bodies, this allowed injection into the executed query.
Attack Vector
An authenticated attacker sends a crafted POST request to /de2api/datasetData/previewSql containing arbitrary SQL and a valid datasourceId. The server executes the SQL against the configured datasource and returns the result set in the API response.
// Patch excerpt: core/core-backend/src/main/java/io/dataease/commons/utils/SqlparserUtils.java
} else {
if (defaultsSqlVariableDetail != null && StringUtils.isNotEmpty(defaultsSqlVariableDetail.getDefaultValue())) {
if (!isEdit && isFromDataSet && defaultsSqlVariableDetail.getDefaultValueScope().equals(SqlVariableDetails.DefaultValueScope.ALLSCOPE)) {
- sqlBuilder.append(defaultsSqlVariableDetail.getDefaultValue());
- lastIndex = matcher.end();
+ PreparedSqlFragment preparedSqlFragment = buildPreparedSqlFragmentForDefaultValue(defaultsSqlVariableDetail);
+ boolean quoted = isQuotedVariable(sql, matcher.start(), matcher.end());
+ if (quoted) {
+ sqlBuilder.setLength(sqlBuilder.length() - 1);
+ }
+ sqlBuilder.append(preparedSqlFragment.replacement());
+ lastIndex = quoted ? matcher.end() + 1 : matcher.end();
+ tableFieldWithValues.addAll(preparedSqlFragment.tableFieldWithValues());
replaced = true;
}
}
}
// Source: https://github.com/dataease/dataease/commit/22930a493d900fe3d8084b3dd4c0125abdb2a847
The fix replaces direct string concatenation with PreparedSqlFragment objects that produce parameter placeholders and carry bound values, forcing safe substitution through the JDBC prepared statement API.
Detection Methods for CVE-2026-50030
Indicators of Compromise
- Requests to /de2api/datasetData/previewSql from users who do not routinely author datasets
- SQL preview payloads referencing system tables such as information_schema, pg_catalog, or mysql.user
- Unusually large response sizes from the previewSql endpoint indicating bulk data extraction
- DataEase datasource query logs showing SELECT statements against tables not used by any saved dataset
Detection Strategies
- Enable HTTP access logging on the DataEase reverse proxy and alert on POST volume to /de2api/datasetData/previewSql
- Correlate DataEase user activity with backend database query logs to identify SQL executed outside of saved dataset definitions
- Deploy web application firewall signatures matching SQL injection patterns targeting the previewSql and previewSqlCheck handlers
Monitoring Recommendations
- Baseline normal previewSql usage per user and flag deviations in query length or frequency
- Monitor DataEase audit logs for datasetData API calls associated with non-editor accounts
- Alert on database errors originating from the DataEase service user that reference invalid columns or tables, which often accompany injection probing
How to Mitigate CVE-2026-50030
Immediate Actions Required
- Upgrade DataEase to version 2.10.23 or later, which contains the parameterization fix in SqlparserUtils and DeSqlparserUtils
- Restrict network access to the DataEase management interface using an allow list of trusted administrator IP ranges
- Rotate credentials for any datasource connected to a vulnerable DataEase instance if compromise is suspected
- Review datasource service accounts and reduce their privileges to the minimum tables required for reporting
Patch Information
The vendor released the fix in GitHub Release v2.10.23. The remediation is implemented in commit 22930a4 and documented in the GitHub Security Advisory GHSA-j4v5-5gcx-cvfc. The patch introduces PreparedSqlFragment objects that route variable defaults through JDBC parameter binding rather than string concatenation.
Workarounds
- Block requests to /de2api/datasetData/previewSql and /de2api/datasetData/previewSqlCheck at a reverse proxy for non-administrator users until patching completes
- Configure datasource accounts with read-only permissions limited to tables required by published datasets
- Disable or remove unused datasource connections to reduce the data reachable through injection
# Example NGINX rule restricting previewSql to an administrator IP allow list
location ~ ^/de2api/datasetData/previewSql(Check)?$ {
allow 10.0.0.0/24;
deny all;
proxy_pass http://dataease_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

