Vulnerability Description
DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dataease | Dataease | < 2.10.20 |
Related Weaknesses (CWE)
References
- https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5Patch
- https://github.com/dataease/dataease/releases/tag/v2.10.20ProductRelease Notes
- https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qqExploitVendor Advisory
FAQ
What is CVE-2026-32939?
CVE-2026-32939 is a vulnerability with a CVSS score of 8.1 (HIGH). DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsin...
How severe is CVE-2026-32939?
CVE-2026-32939 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32939?
Check the references section above for vendor advisories and patch information. Affected products include: Dataease Dataease.