PatchSiren cyber security CVE debrief
CVE-2026-50030 dataease CVE debrief
CVE-2026-50030 is a high-severity SQL injection vulnerability in DataEase, a data visualization and analysis tool. The vulnerability allows attackers to query arbitrary readable datasource tables and return them in preview responses. This issue was fixed in version 2.10.23. Affected users should apply the patch to prevent exploitation. The vulnerability exists in the DataEase SQL preview feature, which exposes the DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql. The endpoint accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then stores decoded SQL in datasourceRequest.query. The CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. Users of DataEase versions prior to 2.10.23 should verify their deployments and apply patches or mitigations as needed. This includes operators, administrators, and security teams responsible for managing DataEase deployments.
- Vendor
- dataease
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-18
Who should care
Users of DataEase versions prior to 2.10.23 should apply the patch to prevent exploitation of this vulnerability. This includes operators, administrators, and security teams responsible for managing DataEase deployments.
Technical summary
The vulnerability exists in the DataEase SQL preview feature, which exposes the DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql. The endpoint accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then stores decoded SQL in datasourceRequest.query. The CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. This issue is fixed in version 2.10.23.
Defensive priority
High
Recommended defensive actions
- Apply the patch by upgrading to DataEase version 2.10.23 or later
- Restrict access to the /de2api/datasetData/previewSql endpoint
- Monitor for suspicious activity on the DataEase instance
- Perform regular security audits and vulnerability assessments
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-15T20:17:13.233Z and last modified on 2026-07-18T02:17:09.673Z. The NVD entry is currently Deferred. This vulnerability affects DataEase versions prior to 2.10.23. Users should verify their deployments and apply patches or mitigations as needed.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T20:17:13.233Z and has not been modified since then. The NVD entry is currently Deferred.