CVE-2026-45417

DataEase · DataEase

A second SQL injection vulnerability in DataEase allows authenticated users to execute arbitrary database commands due to improper input sanitization.

Executive summary

An authenticated SQL injection vulnerability in DataEase versions prior to 2.10.23 allows for unauthorized database interaction and compromise.

Vulnerability

This is an SQL injection flaw (CWE-89) affecting the DataEase application. An attacker with authenticated access can leverage this vulnerability to inject malicious SQL queries, potentially bypassing intended database restrictions.

Business impact

The CVSS score of 8.7 highlights the significant risk to business data. Successful exploitation could lead to unauthorized data exfiltration or modification, potentially resulting in data breaches, regulatory non-compliance, and loss of trust in the integrity of the data visualization platform.

Remediation

Immediate Action: Update DataEase to version 2.10.23 or higher to resolve the underlying SQL injection flaw.

Proactive Monitoring: Monitor database query performance and audit logs for anomalous SQL syntax or unauthorized access attempts from user accounts.

Compensating Controls: Utilize a Web Application Firewall (WAF) configured with SQL injection protection rules to inspect and filter suspicious requests directed at the application.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

The update to version 2.10.23 addresses this vulnerability and should be deployed promptly. In addition to patching, security teams should rotate credentials for accounts that may have been subjected to unauthorized activity and audit the database for any signs of unauthorized configuration changes or data access.