PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50124 dataease CVE debrief

CVE-2026-50124 is a high-severity vulnerability in DataEase, an open-source data visualization tool. The issue allows for arbitrary code execution via a crafted payload uploaded through the Excel upload API. This vulnerability was fixed in version 2.10.23. Affected users should apply the patch immediately. The vulnerability arises from insufficient validation of uploaded files and improper use of the zip: protocol in H2 datasources.

Vendor
dataease
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-17
Advisory published
2026-07-15
Advisory updated
2026-07-17

Who should care

Users of DataEase versions prior to 2.10.23 should apply the patch immediately. Security teams monitoring open-source data visualization tools should prioritize this fix. IT teams responsible for data visualization and analysis tools should review their deployments and apply the necessary updates.

Technical summary

The vulnerability in DataEase arises from the /datasource/upload API, which allows uploading a payload.zip file. By creating an H2 datasource using the zip: protocol and executing an SQL dataset path, an attacker can cause precompiled Java aliases in test.mv.db to execute arbitrary code. This issue is addressed in version 2.10.23. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Defensive priority

High priority due to CVSS score of 7.1 and potential for code execution.

Recommended defensive actions

  • Apply the patch by upgrading to DataEase version 2.10.23 or later
  • Restrict access to the /datasource/upload API
  • Monitor for suspicious uploads and datasource creations
  • Implement additional security controls around Java alias execution
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-15T20:17:13.370Z and last modified on 2026-07-17T13:18:54.510Z. The NVD entry is currently Deferred. The vulnerability affects DataEase versions prior to 2.10.23. Users should verify their deployments and apply the patch or mitigations accordingly. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T20:17:13.370Z and has not been modified since then. The NVD entry is currently Deferred.