CVE-2026-55633 Overview
CVE-2026-55633 is a remote code execution vulnerability in DataEase, an open source data visualization and analysis tool. Versions prior to 2.10.24 contain a bypass of an earlier H2 zip protocol and file dropper fix. An authenticated attacker can upload a zip archive disguised with a .ttf extension through the FontManage.saveFile endpoint. The attacker then triggers the H2 zip protocol to load the archive and execute arbitrary code on the server. The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and is fixed in version 2.10.24.
Critical Impact
An authenticated attacker can achieve remote code execution on the DataEase server, resulting in full compromise of confidentiality, integrity, and availability.
Affected Products
- DataEase versions prior to 2.10.24
- DataEase open source data visualization and analysis tool
- Self-hosted DataEase deployments exposing the FontManage upload functionality
Discovery Timeline
- 2026-07-07 - CVE-2026-55633 published to NVD
- 2026-07-08 - Last updated in NVD database
- v2.10.24 - DataEase releases patched version addressing the bypass
Technical Details for CVE-2026-55633
Vulnerability Analysis
The vulnerability results from an incomplete fix for a prior H2 database zip protocol and file dropper issue. DataEase includes an embedded H2 database engine that supports loading scripts through a special zip protocol. An earlier patch attempted to block malicious script loading, but the validation logic can be bypassed. An authenticated user with access to font management functions can weaponize the upload path to reach the H2 script loader. The attack pairs a permissive file upload with a database-side script execution primitive to achieve code execution in the DataEase process context.
Root Cause
The FontManage.saveFile handler accepts uploads based on the .ttf extension rather than verifying file content. Attackers can package a zip archive containing an H2 initialization script and rename it with the .ttf extension. The earlier hardening of the H2 zip protocol did not fully constrain which files the loader would open, allowing the disguised archive to be resolved and processed as a script source.
Attack Vector
Exploitation requires network access and authenticated privileges sufficient to invoke font management. The attacker first uploads a crafted zip archive with a .ttf extension through FontManage.saveFile. The attacker then triggers a code path that opens an H2 connection or executes a query referencing the zip protocol pointing at the uploaded file. The H2 engine reads the archive and executes the embedded script, giving the attacker command execution as the DataEase service account. See the GitHub Security Advisory GHSA-8x36-774q-pwqg for advisory details.
// No verified public exploit code is available.
// Refer to the vendor commits for the exact validation logic changes:
// https://github.com/dataease/dataease/commit/265b31179f1427c059f739841f2e39aaa6d1b937
// https://github.com/dataease/dataease/commit/8892a6945b0b7a329a156155270fae58afa895bc
Detection Methods for CVE-2026-55633
Indicators of Compromise
- Uploads to the DataEase font management endpoint containing files with a .ttf extension whose magic bytes match PK\\x03\\x04 (zip archive) rather than a TrueType font
- Unexpected child processes spawned by the DataEase Java process, such as sh, bash, cmd.exe, or powershell.exe
- Outbound network connections initiated by the DataEase process to attacker-controlled hosts shortly after a font upload
- H2 database log entries referencing the zip: protocol against files inside the DataEase upload directory
Detection Strategies
- Inspect HTTP request bodies to FontManage.saveFile and validate the uploaded file signature against expected TrueType headers (00 01 00 00 or OTTO)
- Alert on any DataEase upload directory writes followed by database script or trigger execution within a short time window
- Correlate authenticated session activity with file uploads and subsequent process creation events on the DataEase host
Monitoring Recommendations
- Enable verbose logging on the DataEase application server and forward logs to a centralized analytics platform for retention and search
- Monitor process ancestry on the DataEase host to identify Java-parented shells or interpreter execution
- Track integrity of the DataEase upload and font directories using file integrity monitoring
How to Mitigate CVE-2026-55633
Immediate Actions Required
- Upgrade DataEase to version 2.10.24 or later using the GitHub Release v2.10.24
- Restrict access to the DataEase administrative interface to trusted networks and audit all accounts with font management privileges
- Rotate credentials, API tokens, and database secrets on any DataEase instance suspected of exposure
- Review historical uploads in the font management directory for zip archives disguised as .ttf files
Patch Information
The fix is delivered in DataEase 2.10.24. The vendor commits 265b3117 and 8892a694 tighten upload validation and further constrain the H2 zip protocol loader. Administrators should apply the release rather than backporting individual commits.
Workarounds
- Place DataEase behind an authenticating reverse proxy and block anonymous or low-privilege access to FontManage.saveFile
- Deploy a web application firewall rule that rejects font uploads whose content begins with the PK zip magic bytes
- Run the DataEase process as a least-privileged service account with no shell, no outbound internet egress, and restricted filesystem permissions
# Verify installed DataEase version and upgrade to the patched release
docker inspect --format='{{.Config.Image}}' dataease
docker pull registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.24
# Scan the font upload directory for zip archives masquerading as TTF files
find /opt/dataease/data/font -type f -name '*.ttf' -print0 \
| xargs -0 -I{} sh -c 'head -c 2 "{}" | grep -q "PK" && echo "Suspicious: {}"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

