CVE-2026-45533

dataease · dataease

A path traversal vulnerability in the DataEase open source data visualization tool allows authenticated users to access restricted directories.

Executive summary

A path traversal vulnerability in DataEase allows authenticated users to access restricted file paths, potentially leading to unauthorized data exposure or system compromise.

Vulnerability

This is a path traversal vulnerability (CWE-22) that allows an authenticated user to manipulate file paths to access directories outside of the intended scope. The vulnerability requires a low-privileged account to execute the attack, as indicated by the CVSS vector.

Business impact

By bypassing file system restrictions, an attacker could potentially read sensitive configuration files or other critical system data. With a CVSS score of 8.3, this vulnerability poses a high risk to the confidentiality and availability of the data visualization platform and its underlying host environment.

Remediation

Immediate Action: Update DataEase to version 2.10.23 or later to incorporate the necessary file path validation fixes.

Proactive Monitoring: Review system and application logs for unusual file access patterns or requests containing directory traversal sequences such as dot-dot-slash strings.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block path traversal attempts targeting the application.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Organizations using DataEase should treat this as a high-priority update. Upgrading to version 2.10.23 is the only definitive way to close the path traversal vulnerability and prevent potential unauthorized access to sensitive file system resources.