Skip to main content

DataEase CVE-2026-50529

| EUVDEUVD-2026-42099 HIGH
Incorrect Authorization (CWE-863)
2026-07-07 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable, unauthenticated token issuance before credential check gives AV:N/AC:L/PR:N/UI:N; impact is confidential data disclosure only, so C:H, I:N, A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 22:01 EUVD
Analysis Generated
Jul 07, 2026 - 21:31 vuln.today

DescriptionCVE.org

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. This issue is fixed in version 2.10.24.

AnalysisAI

Authentication bypass in DataEase open-source BI platform before 2.10.24 lets unauthenticated remote attackers who know a protected share UUID retrieve a valid X-DE-LINK-TOKEN from the /de2api/share/proxyInfo endpoint, because the token is issued before the share password or ticket is checked. With that token an attacker can call subsequent share APIs and read data behind password-protected dashboards without valid credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain protected share UUID
Delivery
Request /de2api/share/proxyInfo without valid password
Exploit
Receive valid X-DE-LINK-TOKEN
Execution
Replay token to share APIs
Impact
Exfiltrate protected dashboard data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to know a valid UUID of a password- or ticket-protected DataEase share and network access to the /de2api/share/proxyInfo endpoint; no valid password, ticket, account, or user interaction is needed, since the X-DE-LINK-TOKEN is issued before credential validation (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N, base 8.7) describes a network-reachable, low-complexity, unauthenticated attack with high confidentiality impact and no integrity or availability impact - consistent with the description of unauthorized data disclosure via a leaked token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker learns a protected share UUID - for example from a forwarded link, browser history, proxy logs, or a shared chat message - and sends an unauthenticated request to /de2api/share/proxyInfo with a missing or wrong password. The endpoint returns a valid X-DE-LINK-TOKEN, which the attacker replays to the share APIs to read the protected dashboard's data without ever supplying the correct credential. …
Remediation Vendor-released patch: upgrade to DataEase 2.10.24, which reorders the /de2api/share/proxyInfo logic to validate the share password or ticket before issuing the X-DE-LINK-TOKEN (fix commit c4e85a981e53c95b1ea73757db31e3025efdc410; release https://github.com/dataease/dataease/releases/tag/v2.10.24; advisory https://github.com/dataease/dataease/security/advisories/GHSA-7287-qqj9-phr6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all DataEase deployments, verify versions, and assess exposure of internet-facing or untrusted-network-accessible instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49003 CRITICAL POC
9.8 Jun 26

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m

CVE-2025-49002 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.

CVE-2025-49001 CRITICAL POC
9.8 Jun 03

Auth bypass in DataEase BI tool before 2.10.10.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53004 CRITICAL POC
9.8 Jun 30

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-23958 CRITICAL POC
9.8 Jan 22

DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack

CVE-2024-46997 CRITICAL POC
9.8 Sep 23

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-37258 CRITICAL POC
9.8 Jul 25

DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-33963 CRITICAL POC
9.8 Jun 01

DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-28437 CRITICAL POC
9.8 Mar 25

Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2022-39312 CRITICAL POC
9.8 Oct 25

Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r

Share

CVE-2026-50529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy