PatchSiren cyber security CVE debrief
CVE-2026-50529 dataease CVE debrief
CVE-2026-50529 is a vulnerability in DataEase, an open source data visualization and analysis tool. Prior to version 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket. This allows unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. The issue is fixed in version 2.10.24. Affected product deployments should be reviewed for exposure and upgraded to the latest version. Defenders should verify affected product deployments, review official advisories, and plan vendor-supported updates or mitigations.
- Vendor
- dataease
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of DataEase prior to version 2.10.24 should be aware of this vulnerability and take steps to upgrade to the latest version. Affected operator teams, platform administrators, vulnerability management teams, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. They should plan vendor-supported updates or mitigations through normal change control where exposure is confirmed and review compensating controls for exposed systems while remediation is scheduled and verified.
Technical summary
The /de2api/share/proxyInfo share interface in DataEase, an open source data visualization and analysis tool, generates and returns X-DE-LINK-TOKEN before validating the share password or ticket. This allows unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. The issue is fixed in version 2.10.24. Affected product deployments should be reviewed for exposure and upgraded to the latest version. Defenders should verify affected product deployments, review official advisories, and plan vendor-supported updates or mitigations.
Defensive priority
Highly Critical
Recommended defensive actions
- Upgrade to DataEase version 2.10.24 or later
- Review and update share-related API calls to ensure proper validation of share passwords or tickets
- Monitor for suspicious activity related to share interfaces
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-07T21:17:26.110Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that the vulnerability is in the /de2api/share/proxyInfo share interface of DataEase, an open source data visualization and analysis tool. Defenders should verify affected product deployments, review official advisories, and plan vendor-supported updates or mitigations. The issue is fixed in version 2.10.24.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:26.110Z and has not been modified since then.