PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50030 dataease CVE debrief

CVE-2026-50030 is a high-severity SQL injection vulnerability in DataEase, a data visualization and analysis tool. The vulnerability allows attackers to query arbitrary readable datasource tables and return them in preview responses. This issue was fixed in version 2.10.23. Affected users should apply the patch to prevent exploitation. The vulnerability exists in the DataEase SQL preview feature, which exposes the DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql. The endpoint accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then stores decoded SQL in datasourceRequest.query. The CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. Users of DataEase versions prior to 2.10.23 should verify their deployments and apply patches or mitigations as needed. This includes operators, administrators, and security teams responsible for managing DataEase deployments.

Vendor
dataease
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-18
Advisory published
2026-07-15
Advisory updated
2026-07-18

Who should care

Users of DataEase versions prior to 2.10.23 should apply the patch to prevent exploitation of this vulnerability. This includes operators, administrators, and security teams responsible for managing DataEase deployments.

Technical summary

The vulnerability exists in the DataEase SQL preview feature, which exposes the DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql. The endpoint accepts PreviewSqlDTO.sql, PreviewSqlDTO.datasourceId, and PreviewSqlDTO.isCross, then stores decoded SQL in datasourceRequest.query. The CalciteProvider.fetchResultField executes it with prepareStatement(...).executeQuery(), allowing arbitrary readable datasource tables to be queried and returned in preview responses. This issue is fixed in version 2.10.23.

Defensive priority

High

Recommended defensive actions

  • Apply the patch by upgrading to DataEase version 2.10.23 or later
  • Restrict access to the /de2api/datasetData/previewSql endpoint
  • Monitor for suspicious activity on the DataEase instance
  • Perform regular security audits and vulnerability assessments
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-15T20:17:13.233Z and last modified on 2026-07-18T02:17:09.673Z. The NVD entry is currently Deferred. This vulnerability affects DataEase versions prior to 2.10.23. Users should verify their deployments and apply patches or mitigations as needed.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T20:17:13.233Z and has not been modified since then. The NVD entry is currently Deferred.