CVE-2026-53730 Overview
CVE-2026-53730 is a missing authorization vulnerability [CWE-862] in DataEase, an open source data visualization and analysis tool. The /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation. Any authenticated user can specify datasourceId=-1 to access the built-in engine database, execute arbitrary SQL statements, and read sensitive core data. The issue affects DataEase versions prior to 2.10.24 and is fixed in version 2.10.24.
Critical Impact
Authenticated attackers can execute arbitrary SQL against the DataEase built-in engine database and exfiltrate sensitive application data, including user records and configuration.
Affected Products
- DataEase versions prior to 2.10.24
- DataEase /de2api/datasetData/previewSql API endpoint
- DataEase built-in engine database (accessed via datasourceId=-1)
Discovery Timeline
- 2026-07-07 - CVE-2026-53730 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-53730
Vulnerability Analysis
DataEase exposes a REST endpoint at /de2api/datasetData/previewSql intended for previewing SQL queries against configured data sources. The endpoint was not decorated with the @DePermit annotation, which enforces role and permission checks across other DataEase APIs. Because the annotation is missing, the framework does not evaluate whether the caller has rights to execute arbitrary SQL, nor whether the caller may address the internal engine database.
An authenticated user with any role can send a datasourceId value of -1. This value is a reserved identifier that targets the DataEase built-in engine database rather than a user-configured data source. The endpoint then executes attacker-supplied SQL against that internal database and returns the result set.
The practical impact is unauthorized read access to core data, including tables holding user identities, dashboard metadata, and internal system state. Depending on database engine features, attackers may also enumerate schema and pivot to further data exposure.
Root Cause
The root cause is a broken access control gap [CWE-862]. The API controller method backing previewSql did not declare @DePermit, so the DataEase authorization filter treated the route as reachable by any authenticated principal. The reserved datasourceId=-1 path further removed the isolation between user data sources and the built-in engine.
Attack Vector
The attack requires network access to the DataEase API and any valid low-privilege session. The attacker issues a POST request to /de2api/datasetData/previewSql with datasourceId=-1 and an arbitrary SQL payload in the request body. The server executes the SQL against the built-in engine and returns rows to the caller.
// Patch applied in commit 7b47af38b8fa017c9eecb00a4a49264663189e7b
// File: sdk/api/api-base/src/main/java/io/dataease/api/dataset/DatasetDataApi.java
import com.github.xiaoymin.knife4j.annotations.ApiSupport;
import io.dataease.api.dataset.dto.*;
import io.dataease.api.dataset.union.DatasetGroupInfoDTO;
+import io.dataease.auth.DePermit;
import io.dataease.extensions.datasource.dto.DatasetTableDTO;
import io.dataease.extensions.datasource.dto.DatasetTableFieldDTO;
import io.swagger.v3.oas.annotations.Operation;
Source: GitHub Commit 7b47af3. The patch imports io.dataease.auth.DePermit so the annotation can be applied to previewSql and related methods, restoring permission validation before SQL is executed.
Detection Methods for CVE-2026-53730
Indicators of Compromise
- HTTP requests to /de2api/datasetData/previewSql originating from non-administrative user sessions.
- Request bodies containing datasourceId=-1 or JSON fields referencing "datasourceId": -1.
- SQL payloads targeting internal DataEase tables such as user, role, or datasource metadata tables from the built-in engine.
- Unusual volumes of previewSql calls from a single session within a short interval.
Detection Strategies
- Enable verbose access logging on the DataEase application server and alert on any previewSql call where the authenticated principal is not an administrator.
- Inspect application logs for SQL statements referencing sensitive schemas executed via the preview path.
- Correlate authentication events with subsequent previewSql requests to identify low-privilege accounts probing the endpoint.
Monitoring Recommendations
- Forward DataEase application and web server logs to a centralized log platform for retention and query.
- Baseline normal previewSql usage per role, then alert on deviations such as new users invoking the endpoint.
- Monitor the built-in engine database for query patterns inconsistent with dashboard rendering, such as information_schema enumeration.
How to Mitigate CVE-2026-53730
Immediate Actions Required
- Upgrade DataEase to version 2.10.24 or later, which adds the @DePermit annotation to the affected endpoint.
- Rotate credentials for any account with access to the DataEase built-in engine database if unauthorized previewSql activity is observed.
- Audit existing DataEase user accounts and disable dormant or shared low-privilege accounts that could be abused.
- Review recent access logs for requests to /de2api/datasetData/previewSql with datasourceId=-1.
Patch Information
The fix is delivered in DataEase 2.10.24. The upstream patch commit 7b47af38b8fa017c9eecb00a4a49264663189e7b adds the io.dataease.auth.DePermit import and applies permission validation to the vulnerable dataset API methods. See the GitHub Security Advisory GHSA-2jmq-vffm-4qmj and the patch commit for details.
Workarounds
- Restrict network access to the DataEase API to trusted administrative networks until the upgrade is applied.
- Block requests to /de2api/datasetData/previewSql at a reverse proxy or web application firewall for non-administrative user sessions.
- Deny request bodies containing datasourceId=-1 at the proxy layer as a temporary control.
# Example NGINX rule to block previewSql requests targeting the built-in engine
location /de2api/datasetData/previewSql {
if ($request_body ~* "datasourceId\"?\s*[:=]\s*-1") {
return 403;
}
proxy_pass http://dataease_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

