Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50124

CVE-2026-50124: DataEase RCE Vulnerability

CVE-2026-50124 is a remote code execution flaw in DataEase that allows attackers to execute arbitrary code via malicious H2 datasource exploitation. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-50124 Overview

CVE-2026-50124 is a remote code execution vulnerability in DataEase, an open source data visualization and analysis tool. The flaw exists in versions prior to 2.10.23 and combines an unrestricted file upload with an unsafe JDBC datasource configuration. Attackers can upload a payload.zip file through the Excel upload API /datasource/upload, create an H2 datasource that uses the zip: protocol, and trigger execution when an SQL dataset is queried. The CalciteProvider.jdbcFetchResultField method invokes statement.executeQuery() against a malicious test.mv.db file, causing precompiled Java aliases to run arbitrary code on the server. The issue is classified under [CWE-434: Unrestricted Upload of File with Dangerous Type].

Critical Impact

Authenticated attackers can achieve arbitrary code execution on DataEase servers by chaining a file upload with a crafted H2 JDBC datasource.

Affected Products

  • DataEase versions prior to 2.10.23
  • DataEase open source data visualization and analysis platform
  • Deployments exposing the /datasource/upload endpoint to authenticated users

Discovery Timeline

  • 2026-07-15 - CVE-2026-50124 published to NVD
  • 2026-07-15 - Last updated in NVD database

Technical Details for CVE-2026-50124

Vulnerability Analysis

The vulnerability chains three weaknesses to achieve remote code execution. First, the Excel upload endpoint /datasource/upload accepts arbitrary file content without validating the file extension. Second, the datasource configuration layer permits H2 JDBC URLs that reference the zip: protocol, allowing the H2 engine to open a database file packaged inside an uploaded archive. Third, the Calcite query provider executes precompiled Java aliases stored in the H2 database file when statement.executeQuery() runs.

H2 databases support user-defined functions written in Java, and these definitions are persisted inside the .mv.db file. When a crafted test.mv.db is loaded from an attacker-controlled zip, executing any SQL statement invokes the embedded Java code with the privileges of the DataEase process.

Root Cause

The root cause is missing input validation at two layers. The DatasourceServer.uploadFile method did not enforce an allow-list of Excel suffixes, and the JDBC configuration classes contained scattered, incomplete URL and driver validation logic. This allowed the zip: protocol and dangerous JDBC parameters to reach the H2 driver.

Attack Vector

An authenticated user uploads a zip archive containing a malicious test.mv.db file through the Excel upload endpoint. The attacker then creates a new H2 datasource whose JDBC URL references the uploaded zip using the zip: protocol. When any SQL dataset is executed against this datasource, CalciteProvider.jdbcFetchResultField calls statement.executeQuery(), triggering the Java alias stored inside the database file.

java
// Patch: enforce Excel file suffix allow-list in DatasourceServer.uploadFile
private static final List<String> EXCEL_UPLOAD_SUFFIXES = List.of("xlsx", "xls", "csv");

public ExcelFileData uploadFile(@RequestParam("file") MultipartFile file,
                                @RequestParam("id") long datasourceId,
                                @RequestParam("editType") Integer editType) throws DEException {
    String fileName = file == null ? null : file.getOriginalFilename();
    String suffix = StringUtils.substringAfterLast(
            StringUtils.defaultString(fileName), ".").toLowerCase(Locale.ROOT);
    if (!EXCEL_UPLOAD_SUFFIXES.contains(suffix)) {
        DEException.throwException(Translator.get("i18n_unsupported_file_format"));
    }
    // ...
}
// Source: https://github.com/dataease/dataease/commit/a7bffa795cb0ca041dce0effe68479cf3bf13db1

The upstream fix also centralizes JDBC URL and driver checks in a new JdbcUrlSecurityPolicy class, replacing scattered illegalParameters lists in individual datasource types such as Db2 and CK. See the DataEase JDBC validation commit for details.

Detection Methods for CVE-2026-50124

Indicators of Compromise

  • HTTP POST requests to /datasource/upload with non-Excel file extensions or containing zip archive magic bytes (PK\\x03\\x04)
  • Creation of H2 datasources whose JDBC URL contains the zip: protocol prefix
  • Presence of test.mv.db or other .mv.db files inside uploaded archive artifacts on the DataEase server
  • Unexpected child processes spawned by the DataEase Java process shortly after dataset query execution

Detection Strategies

  • Inspect application and reverse-proxy logs for uploads to /datasource/upload where the filename suffix is not xlsx, xls, or csv
  • Audit stored datasource configurations for JDBC URLs referencing jdbc:h2:zip: or other non-standard H2 URL forms
  • Monitor for outbound network connections initiated by the DataEase JVM immediately following SQL dataset execution

Monitoring Recommendations

  • Enable verbose access logging on the DataEase API gateway and forward events to a central log platform for retention and search
  • Alert on file writes to DataEase upload directories with extensions other than the approved Excel formats
  • Track process lineage from the DataEase JVM to detect shell, scripting, or download utilities being spawned

How to Mitigate CVE-2026-50124

Immediate Actions Required

  • Upgrade DataEase to version 2.10.23 or later, which enforces Excel suffix validation and centralized JDBC URL security policy
  • Restrict access to the DataEase administrative interface and /datasource/upload endpoint to trusted networks only
  • Review existing datasource definitions and remove any H2 entries that reference the zip: protocol or user-uploaded paths
  • Rotate credentials that were accessible to the DataEase service account if compromise is suspected

Patch Information

The fix is available in DataEase v2.10.23. The patch introduces an allow-list of Excel file suffixes in DatasourceServer.uploadFile and consolidates JDBC URL and driver validation into a new JdbcUrlSecurityPolicy. Details are documented in GitHub Security Advisory GHSA-cjmg-jqmc-xj5v and the file upload validation commit.

Workarounds

  • Place the DataEase server behind a web application firewall that blocks requests to /datasource/upload where the uploaded content is not a valid Excel or CSV file
  • Remove or disable the H2 JDBC driver from the DataEase classpath if H2 datasources are not required in the environment
  • Enforce least-privilege on the DataEase service account so that successful exploitation cannot pivot to sensitive host resources
bash
# Verify the running DataEase version and upgrade if below 2.10.23
curl -s https://<dataease-host>/api/system/version

# Example nginx rule to block non-Excel uploads to the vulnerable endpoint
location = /datasource/upload {
    if ($request_method = POST) {
        # Reject requests whose filename does not end in xlsx, xls, or csv
        if ($request_body !~* "filename=\"[^\"]+\.(xlsx|xls|csv)\"") {
            return 403;
        }
    }
    proxy_pass http://dataease_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.