DataEase Open Source Tool Exposes Sensitive Data Due to Lack of Permission Validation
CVE-2026-53730

8.7HIGH

Key Information:

Vendor

Dataease

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-53730?

DataEase, an open source data visualization and analysis tool, has a vulnerability in versions prior to 2.10.24 due to a missing permission validation annotation on the /de2api/datasetData/previewSql endpoint. This allows any authenticated user to manipulate the datasourceId parameter to access the built-in engine database, leading to the execution of arbitrary SQL statements. As a result, sensitive core data can be exposed to unauthorized users. This issue has been addressed in version 2.10.24.

Affected Version(s)

dataease < 2.10.24

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.