CVE-2026-53729 Overview
CVE-2026-53729 is an Insecure Direct Object Reference (IDOR) vulnerability in DataEase, an open source data visualization and analysis tool. Versions prior to 2.10.24 allow any authenticated user to access export tasks belonging to other users by manipulating the task ID parameter. The affected endpoints include /exportCenter/download/{id}, /exportCenter/delete, /exportCenter/retry/{id}, and /exportCenter/generateDownloadUri/{id}. The download endpoint is also whitelisted from authentication, exposing exported files to unauthenticated attackers. The issue is fixed in version 2.10.24.
Critical Impact
Attackers can download, delete, or manipulate other users' exported data files without authentication, resulting in confidentiality loss across the DataEase deployment.
Affected Products
- DataEase versions prior to 2.10.24
- DataEase open source data visualization platform
- Deployments exposing the Export Center API
Discovery Timeline
- 2026-07-07 - CVE-2026-53729 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-53729
Vulnerability Analysis
The vulnerability stems from missing authorization checks on the Export Center API endpoints in DataEase. The application accepts a task ID parameter but fails to verify that the requesting user owns the referenced export task. Any authenticated user can substitute a task ID belonging to another account and receive a successful response.
The /exportCenter/download/{id} endpoint compounds the risk by being whitelisted from authentication entirely. Unauthenticated attackers can request exported files directly if they can enumerate or guess valid task identifiers. This class of weakness is tracked as [CWE-639: Authorization Bypass Through User-Controlled Key].
Root Cause
The root cause is broken object-level access control. The controller methods for download, delete, retry, and download URI generation trust the client-supplied task ID and do not compare the task owner against the current authenticated principal. The authentication whitelist entry for the download endpoint further removes any identity check before serving files.
Attack Vector
An attacker with a low-privilege authenticated account enumerates task IDs and issues requests such as GET /exportCenter/download/{id} or POST /exportCenter/delete to interact with tasks owned by other users. The download route is reachable without any credentials, allowing external attackers to retrieve exported dashboards, reports, or dataset extracts once a valid ID is known.
// Patch excerpt from FileUtils.java (DataEase 2.10.24)
// Commit 57e90bdcc21c3fa2ec57184671603ad88a5b941b
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
-import java.nio.file.SimpleFileVisitor;
-import java.nio.file.FileVisitResult;
-import java.nio.file.attribute.BasicFileAttributes;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
Source: GitHub Commit 57e90bd. The commit removes recursive file traversal helpers and tightens the file handling path used by the Export Center, part of the broader fix for arbitrary file access and deletion.
Detection Methods for CVE-2026-53729
Indicators of Compromise
- Unexpected HTTP requests to /exportCenter/download/{id}, /exportCenter/delete, /exportCenter/retry/{id}, or /exportCenter/generateDownloadUri/{id} from unauthenticated sources.
- Sequential or enumerated task ID access patterns targeting the Export Center API.
- Export tasks disappearing or being retried without corresponding user activity in the DataEase audit logs.
Detection Strategies
- Review web server and reverse proxy logs for requests to /exportCenter/* endpoints that lack a valid session or originate from unusual source addresses.
- Correlate task IDs referenced in requests against the owning user in the application database to identify cross-user access.
- Alert on high request volumes to the Export Center endpoints, which may indicate ID enumeration.
Monitoring Recommendations
- Enable access logging for all DataEase API endpoints and forward logs to a central SIEM for retention and correlation.
- Monitor for anomalous file download volumes from the DataEase host that exceed baseline usage patterns.
- Track deletion and retry events on export tasks and reconcile them against expected user workflows.
How to Mitigate CVE-2026-53729
Immediate Actions Required
- Upgrade DataEase to version 2.10.24 or later, which contains the authorization checks and removes the download endpoint from the authentication whitelist.
- Restrict network exposure of DataEase to trusted networks or place it behind a VPN or authenticating reverse proxy until patched.
- Rotate any credentials or tokens contained in exported files that may have been retrieved by unauthorized parties.
Patch Information
The fix is available in DataEase v2.10.24. See the GHSA-9423-78gr-xjj5 advisory and the upstream commit for technical details.
Workarounds
- Block external access to /exportCenter/* routes at the reverse proxy or web application firewall until the upgrade is applied.
- Require authentication at the proxy layer for the download endpoint to compensate for the whitelist entry in vulnerable versions.
- Audit existing export tasks and purge stale exports containing sensitive data to reduce exposure while patching is scheduled.
# Example NGINX rule to block Export Center endpoints until upgrade
location ~ ^/exportCenter/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

