CVE-2026-50529 Overview
CVE-2026-50529 is an authorization bypass vulnerability in DataEase, an open source data visualization and analysis tool. The /de2api/share/proxyInfo share interface generates and returns an X-DE-LINK-TOKEN before validating the share password or ticket. Unauthenticated attackers who know a protected share UUID can obtain a valid link token even with missing or invalid credentials. The token then permits subsequent share-related API calls, exposing dashboards and datasets that should require authentication. The issue affects all DataEase versions prior to 2.10.24 and is classified as [CWE-863: Incorrect Authorization].
Critical Impact
Unauthenticated attackers with knowledge of a share UUID can bypass password protection on shared DataEase dashboards and access protected data through subsequent share API calls.
Affected Products
- DataEase versions prior to 2.10.24
- DataEase /de2api/share/proxyInfo share endpoint
- DataEase share link token issuance workflow
Discovery Timeline
- 2026-07-07 - CVE-2026-50529 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-50529
Vulnerability Analysis
DataEase supports sharing dashboards and views through link-based shares that can be protected by a password or ticket. Access to a protected share should require valid credentials before any usable session artifact is issued. The /de2api/share/proxyInfo endpoint violates this contract by generating an X-DE-LINK-TOKEN prior to credential validation. The token is returned to callers regardless of whether they supplied a correct password or ticket. Downstream share APIs accept this token as proof of authorization, so attackers can chain calls to enumerate chart data, view content, and dashboard metadata tied to the target share UUID.
Root Cause
The root cause is an out-of-order authorization check in the share proxy workflow. Token issuance executes before the password or ticket comparator runs, so validation failure does not prevent the response body from containing usable credentials. The upstream fix in commit c4e85a981e53c95b1ea73757db31e3025efdc410 introduces chartViewManege.checkLinkChart(view) and adds JWT decoding logic to ChartViewManege, enforcing token verification against the requested chart before returning share data.
Attack Vector
Exploitation requires only network access to a DataEase deployment and knowledge of a share UUID. Share UUIDs may be leaked through referrer logs, browser history, screenshots, or brute-force enumeration in some deployments. An attacker sends a request to /de2api/share/proxyInfo with the target UUID and no or arbitrary credentials, harvests the returned X-DE-LINK-TOKEN, and reuses it against protected share endpoints to retrieve chart and dashboard data.
// Security patch: ChartDataManage.java
view.setChartExtRequest(chartExtRequest);
}
+ chartViewManege.checkLinkChart(view);
+
//excel导出,如果是从仪表板获取图表数据,则仪表板的查询模式,查询结果的数量,覆盖图表对应的属性
if (view.getIsExcelExport()) {
view.setResultMode(ChartConstants.VIEW_RESULT_MODE.CUSTOM);
Source: GitHub Commit c4e85a9
The patch also introduces JWT verification imports in ChartViewManege.java:
package io.dataease.chart.manage;
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper;
import com.fasterxml.jackson.core.type.TypeReference;
Source: GitHub Commit c4e85a9
Detection Methods for CVE-2026-50529
Indicators of Compromise
- Requests to /de2api/share/proxyInfo from unauthenticated clients that return HTTP 200 with an X-DE-LINK-TOKEN header or body value.
- Repeated /de2api/share/proxyInfo calls using different UUID values from the same source IP, suggesting UUID enumeration.
- Follow-on share API calls presenting an X-DE-LINK-TOKEN where no prior successful password or ticket validation was observed.
- Access to protected share dashboards without matching successful authentication events in DataEase logs.
Detection Strategies
- Compare share endpoint access logs against authentication events to identify tokens issued without a preceding successful credential validation.
- Alert on any HTTP request to /de2api/share/proxyInfo that returns a token when the request omits the password or ticket parameter.
- Baseline normal share UUID access patterns and flag high-volume UUID variation from a single client.
Monitoring Recommendations
- Enable verbose access logging on the DataEase reverse proxy for all /de2api/share/* paths, including request bodies and response headers.
- Forward DataEase application and web-tier logs to a centralized analytics platform for correlation with authentication outcomes.
- Monitor outbound data volumes from DataEase to detect bulk retrieval of chart data through share APIs.
How to Mitigate CVE-2026-50529
Immediate Actions Required
- Upgrade DataEase to version 2.10.24 or later, which contains the authorization fix.
- Rotate or invalidate existing share links whose UUIDs may have been exposed in logs, referrers, or third-party services.
- Audit share endpoint access logs for the presence of X-DE-LINK-TOKEN values issued without valid credentials.
Patch Information
The vulnerability is fixed in DataEase 2.10.24. The fix adds chartViewManege.checkLinkChart(view) to enforce chart-level authorization and introduces JWT verification for share link tokens. Refer to the GitHub Security Advisory GHSA-7287-qqj9-phr6, the GitHub Release v2.10.24, and the remediation commit c4e85a9.
Workarounds
- Restrict network access to DataEase share endpoints using an upstream reverse proxy or web application firewall until the upgrade is applied.
- Disable public share functionality in DataEase administrative settings for sensitive dashboards.
- Rotate all existing share UUIDs after upgrading so that any UUIDs harvested pre-patch cannot be reused.
# Verify installed DataEase version and upgrade
docker inspect dataease --format '{{.Config.Image}}'
docker pull dataease/dataease:v2.10.24
docker compose down && docker compose up -d
# Confirm the fixed version is running
curl -s http://localhost:8100/de2api/sys/status | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

