Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55631

CVE-2026-55631: DataEase Path Traversal Vulnerability

CVE-2026-55631 is a path traversal flaw in DataEase that allows authenticated users to delete arbitrary files via the font management module. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-55631 Overview

CVE-2026-55631 is a path traversal vulnerability [CWE-22] in DataEase, an open source data visualization and analysis tool. The flaw resides in the font management module, where authenticated users can submit an arbitrary fileTransName value when creating a font record. When the record is deleted, the backend concatenates the stored value with the font storage directory and passes it to FileUtils.deleteFile() without path traversal sanitization. This allows deletion of arbitrary writable files inside the application container. The issue is fixed in DataEase version 2.10.24.

Critical Impact

Authenticated attackers can delete arbitrary writable files within the DataEase application container, causing integrity and availability loss for the affected instance.

Affected Products

  • DataEase versions prior to 2.10.24
  • Fixed in DataEase 2.10.24
  • Open source data visualization and analysis tool distributed via GitHub

Discovery Timeline

  • 2026-07-07 - CVE-2026-55631 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-55631

Vulnerability Analysis

DataEase exposes a font management module that lets authenticated users upload custom fonts. During creation, the backend stores a client-supplied fileTransName value in the font record without validation. The value is treated as a trusted filename by later operations.

When the same font record is deleted, the application concatenates the stored fileTransName with the configured font storage directory. It then passes the resulting path directly to FileUtils.deleteFile(). Because no canonicalization or traversal filtering is applied, sequences such as ../ escape the intended directory and resolve to arbitrary locations on the container filesystem.

The outcome is arbitrary file deletion within the writable scope of the DataEase process. Attackers can target configuration files, plugin artifacts, cached data, or runtime state to disrupt operations, force error conditions, or degrade the integrity of the application.

Root Cause

The root cause is missing input validation on the fileTransName field combined with unsafe path construction before a file deletion call. The application trusts user-controlled state stored in a prior request and reuses it in a filesystem operation without normalization or containment checks.

Attack Vector

Exploitation requires an authenticated account with permission to interact with the font management module. An attacker submits a crafted font creation request containing a fileTransName value with directory traversal sequences. They then trigger deletion of the record, which invokes FileUtils.deleteFile() on the attacker-controlled path.

No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-r99p-w8fc-93g6 and the GitHub Commit Update for the technical fix details.

Detection Methods for CVE-2026-55631

Indicators of Compromise

  • Font management API requests containing ../ or encoded traversal sequences in the fileTransName parameter.
  • Unexpected deletion of files outside the DataEase font storage directory.
  • Application errors or missing configuration, plugin, or cache files following font record deletion events.
  • Audit log entries showing font create/delete pairs from the same authenticated user within a short interval.

Detection Strategies

  • Inspect HTTP request bodies to the font management endpoints for path traversal patterns in fileTransName.
  • Correlate font record delete operations with filesystem delete events on paths outside the expected font directory.
  • Alert on file deletions targeting sensitive directories by the DataEase service account.

Monitoring Recommendations

  • Enable verbose audit logging on the DataEase font management module and forward logs to a central SIEM.
  • Monitor container filesystem write and unlink events using runtime workload telemetry.
  • Track anomalous authenticated user activity involving repeated create-then-delete font record sequences.

How to Mitigate CVE-2026-55631

Immediate Actions Required

  • Upgrade DataEase to version 2.10.24 or later, which contains the official fix.
  • Review audit logs for suspicious font management activity, focusing on fileTransName values containing traversal sequences.
  • Restrict access to the font management module to trusted administrators until patching is complete.
  • Rotate credentials and inspect container integrity if arbitrary deletion is suspected.

Patch Information

The fix is included in DataEase 2.10.24. Refer to the GitHub Release v2.10.24 and the remediation commit 8892a69 for details on the sanitization logic introduced around FileUtils.deleteFile().

Workarounds

  • Limit accounts that can create or delete font records to a minimal set of administrators.
  • Run the DataEase container with a read-only root filesystem and restricted writable volumes to reduce the blast radius.
  • Deploy a web application firewall rule to block requests containing traversal sequences such as ../ or ..%2f in the fileTransName field.
  • Enforce container filesystem integrity monitoring to detect unauthorized deletions.
bash
# Example WAF rule (ModSecurity) blocking traversal in fileTransName
SecRule ARGS:fileTransName "@rx (\.\./|\.\.%2f|\.\.\\)" \
    "id:1055631,phase:2,deny,status:400,log,\
     msg:'CVE-2026-55631 path traversal attempt in DataEase fileTransName'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.