Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50030

CVE-2026-50030: DataEase SQL Injection Vulnerability

CVE-2026-50030 is a SQL injection flaw in DataEase that allows attackers to query arbitrary datasource tables through the SQL preview API. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-50030 Overview

CVE-2026-50030 is a SQL injection vulnerability in DataEase, an open source data visualization and analysis tool. The flaw exists in the SQL preview functionality exposed through the /de2api/datasetData/previewSql endpoint. The DatasetDataApi.previewSql and previewSqlCheck handlers accept a PreviewSqlDTO payload containing raw SQL, which DatasetDataManage.previewSql stores in datasourceRequest.query. CalciteProvider.fetchResultField then executes the query via prepareStatement(...).executeQuery(). Authenticated attackers can query arbitrary readable datasource tables and receive the results in preview responses. The issue affects all versions prior to 2.10.23 and is classified under [CWE-89].

Critical Impact

Authenticated attackers can execute arbitrary SELECT statements against connected datasources, exposing any table readable by the configured database user.

Affected Products

  • DataEase versions prior to 2.10.23
  • DataEase open source data visualization platform
  • Deployments exposing the /de2api/datasetData/previewSql endpoint

Discovery Timeline

  • 2026-07-15 - CVE-2026-50030 published to NVD
  • 2026-07-15 - Last updated in NVD database

Technical Details for CVE-2026-50030

Vulnerability Analysis

DataEase exposes a SQL preview API intended to help dataset authors validate queries before saving them. The endpoint accepts three parameters via PreviewSqlDTO: sql, datasourceId, and isCross. The backend decodes the supplied SQL and passes it directly into datasourceRequest.query without confining the statement to the dataset scope or applying parameterization for embedded variable defaults.

Execution occurs in CalciteProvider.fetchResultField, which calls prepareStatement(...).executeQuery() on the attacker-controlled string. Because the SQL body itself is user-supplied rather than parameterized, an authenticated user with dataset preview access can read any table the underlying datasource account can access. This bypasses the dataset-level access controls that would normally restrict which columns and rows users can view.

Root Cause

The vulnerability stems from inserting default variable values into SQL text by string concatenation. In SqlparserUtils.java and DeSqlparserUtils.java, the pre-patch code executed sqlBuilder.append(defaultsSqlVariableDetail.getDefaultValue()), embedding raw values into the statement. Combined with an API surface that accepts full SQL bodies, this allowed injection into the executed query.

Attack Vector

An authenticated attacker sends a crafted POST request to /de2api/datasetData/previewSql containing arbitrary SQL and a valid datasourceId. The server executes the SQL against the configured datasource and returns the result set in the API response.

java
// Patch excerpt: core/core-backend/src/main/java/io/dataease/commons/utils/SqlparserUtils.java
} else {
    if (defaultsSqlVariableDetail != null && StringUtils.isNotEmpty(defaultsSqlVariableDetail.getDefaultValue())) {
        if (!isEdit && isFromDataSet && defaultsSqlVariableDetail.getDefaultValueScope().equals(SqlVariableDetails.DefaultValueScope.ALLSCOPE)) {
-            sqlBuilder.append(defaultsSqlVariableDetail.getDefaultValue());
-            lastIndex = matcher.end();
+            PreparedSqlFragment preparedSqlFragment = buildPreparedSqlFragmentForDefaultValue(defaultsSqlVariableDetail);
+            boolean quoted = isQuotedVariable(sql, matcher.start(), matcher.end());
+            if (quoted) {
+                sqlBuilder.setLength(sqlBuilder.length() - 1);
+            }
+            sqlBuilder.append(preparedSqlFragment.replacement());
+            lastIndex = quoted ? matcher.end() + 1 : matcher.end();
+            tableFieldWithValues.addAll(preparedSqlFragment.tableFieldWithValues());
            replaced = true;
        }
    }
}
// Source: https://github.com/dataease/dataease/commit/22930a493d900fe3d8084b3dd4c0125abdb2a847

The fix replaces direct string concatenation with PreparedSqlFragment objects that produce parameter placeholders and carry bound values, forcing safe substitution through the JDBC prepared statement API.

Detection Methods for CVE-2026-50030

Indicators of Compromise

  • Requests to /de2api/datasetData/previewSql from users who do not routinely author datasets
  • SQL preview payloads referencing system tables such as information_schema, pg_catalog, or mysql.user
  • Unusually large response sizes from the previewSql endpoint indicating bulk data extraction
  • DataEase datasource query logs showing SELECT statements against tables not used by any saved dataset

Detection Strategies

  • Enable HTTP access logging on the DataEase reverse proxy and alert on POST volume to /de2api/datasetData/previewSql
  • Correlate DataEase user activity with backend database query logs to identify SQL executed outside of saved dataset definitions
  • Deploy web application firewall signatures matching SQL injection patterns targeting the previewSql and previewSqlCheck handlers

Monitoring Recommendations

  • Baseline normal previewSql usage per user and flag deviations in query length or frequency
  • Monitor DataEase audit logs for datasetData API calls associated with non-editor accounts
  • Alert on database errors originating from the DataEase service user that reference invalid columns or tables, which often accompany injection probing

How to Mitigate CVE-2026-50030

Immediate Actions Required

  • Upgrade DataEase to version 2.10.23 or later, which contains the parameterization fix in SqlparserUtils and DeSqlparserUtils
  • Restrict network access to the DataEase management interface using an allow list of trusted administrator IP ranges
  • Rotate credentials for any datasource connected to a vulnerable DataEase instance if compromise is suspected
  • Review datasource service accounts and reduce their privileges to the minimum tables required for reporting

Patch Information

The vendor released the fix in GitHub Release v2.10.23. The remediation is implemented in commit 22930a4 and documented in the GitHub Security Advisory GHSA-j4v5-5gcx-cvfc. The patch introduces PreparedSqlFragment objects that route variable defaults through JDBC parameter binding rather than string concatenation.

Workarounds

  • Block requests to /de2api/datasetData/previewSql and /de2api/datasetData/previewSqlCheck at a reverse proxy for non-administrator users until patching completes
  • Configure datasource accounts with read-only permissions limited to tables required by published datasets
  • Disable or remove unused datasource connections to reduce the data reachable through injection
bash
# Example NGINX rule restricting previewSql to an administrator IP allow list
location ~ ^/de2api/datasetData/previewSql(Check)?$ {
    allow 10.0.0.0/24;
    deny all;
    proxy_pass http://dataease_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.