Vulnerability Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dataease | Dataease | < 2.10.21 |
Related Weaknesses (CWE)
References
- https://github.com/dataease/dataease/releases/tag/v2.10.21Release Notes
- https://github.com/dataease/dataease/security/advisories/GHSA-pgh3-rgw3-xjmmExploitThird Party Advisory
- https://github.com/dataease/dataease/security/advisories/GHSA-pgh3-rgw3-xjmmExploitThird Party Advisory
FAQ
What is CVE-2026-33207?
CVE-2026-33207 is a vulnerability with a CVSS score of 8.8 (HIGH). DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql m...
How severe is CVE-2026-33207?
CVE-2026-33207 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33207?
Check the references section above for vendor advisories and patch information. Affected products include: Dataease Dataease.