DataEase Open Source Tool Exposes Sensitive Data Due to Lack of Permission Validation
CVE-2026-53730
8.7HIGH
What is CVE-2026-53730?
DataEase, an open source data visualization and analysis tool, has a vulnerability in versions prior to 2.10.24 due to a missing permission validation annotation on the /de2api/datasetData/previewSql endpoint. This allows any authenticated user to manipulate the datasourceId parameter to access the built-in engine database, leading to the execution of arbitrary SQL statements. As a result, sensitive core data can be exposed to unauthorized users. This issue has been addressed in version 2.10.24.
Affected Version(s)
dataease < 2.10.24
