PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50530 dataease CVE debrief

CVE-2026-50530 affects DataEase, an open source data visualization and analysis tool, through a vulnerability in its share mode chart data interface. The vulnerability allows unauthorized data retrieval by validating only the sceneId match with the resourceId in the link token, failing to validate tableId and field IDs in the request body. This issue is fixed in version 2.10.24. Users should apply patches to prevent unauthorized data retrieval.

Vendor
dataease
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of DataEase open source data visualization and analysis tool versions prior to 2.10.24 should apply the patch to prevent unauthorized data retrieval. Affected operators, platforms, vulnerability-management, and security teams should review and restrict access to share mode chart data interfaces.

Technical summary

CVE-2026-50530 is a vulnerability in the share mode chart data interface of DataEase, an open source data visualization and analysis tool. The interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource. This allows an attacker with a valid share link token to replace dataset identifiers and retrieve unauthorized data through POST /de2api/chartData/getData. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Defensive priority

High priority due to potential for unauthorized data retrieval.

Recommended defensive actions

  • Apply the patch by upgrading to DataEase version 2.10.24 or later
  • Review and restrict access to share mode chart data interfaces
  • Monitor for suspicious activity related to data retrieval
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-07T21:17:26.240Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that the vulnerability affects DataEase versions prior to 2.10.24. Defenders should verify affected scope and apply patches accordingly.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:26.240Z and has not been modified since then.