JDBC Parameter Blocklist Bypass Vulnerability in DataEase by DataEase
CVE-2026-40899

8.3HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40899?

DataEase, an open-source data visualization and analytics platform, is susceptible to a JDBC parameter blocklist bypass in its MySQL datasource configuration for versions 2.10.20 and earlier. This vulnerability emerges from the usage of Lombok's @Data annotation, which generates a public setter for the illegalParameters field. An authenticated attacker can exploit this vulnerability by submitting a JSON datasource configuration, triggering Jackson deserialization to replace the security blocklist with an empty list. Consequently, harmful JDBC parameters may be included, such as allowLoadLocalInfile=true. This enables the attacker to leverage the LOAD DATA LOCAL INFILE protocol against a compromised MySQL server, leading to unauthorized access to sensitive files within the DataEase server filesystem, including critical environment variables and database credentials. Users are advised to upgrade to version 2.10.21 to mitigate this risk.

Affected Version(s)

dataease < 2.10.21

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/releases/tag/v2.10.21

x_refsource_MISC

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40899 Data

JSON

Dataease

What is CVE-2026-40899?

Affected Version(s)

References

CVSS V4

Timeline