SQL Injection Vulnerability in DataEase Data Visualization Platform
CVE-2026-33207

8.6HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-33207?

DataEase, an open-source data visualization and analytics platform, is affected by a SQL injection vulnerability present in versions 2.10.20 and earlier. This vulnerability originates from the /datasource/getTableField endpoint, where the getTableFieldSql method in CalciteProvider.java does not properly parameterize or sanitize the tableName parameter. While the DatasourceServer.java checks for the existence of the table name in the datasource, an attacker can exploit this by registering an API datasource with a malicious table name that passes this validation. An authenticated attacker could leverage this flaw to execute arbitrary SQL commands, effectively allowing for error-based extraction of sensitive information from the database. Users must update to version 2.10.21 or later to mitigate this security risk.

Affected Version(s)

dataease < 2.10.21

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/releases/tag/v2.10.21

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33207 Data

JSON

Dataease

What is CVE-2026-33207?

Affected Version(s)

References

CVSS V4

Timeline