Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Whitelisted download endpoint gives unauthenticated network read (PR:N, C:H); authenticated delete/retry of others' tasks adds limited integrity impact (I:L); low complexity, no scope change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download (/exportCenter/download/{id}), delete (/exportCenter/delete), retry (/exportCenter/retry/{id}), or generate download links (/exportCenter/generateDownloadUri/{id}) for export tasks belonging to other users by manipulating the task ID parameter, and the /exportCenter/download/{id} endpoint is whitelisted from authentication, allowing unauthenticated access to exported files. This issue is fixed in version 2.10.24.
AnalysisAI
{id} route is explicitly whitelisted from authentication, exported data files can be pulled by fully unauthenticated remote attackers, matching the vendor's CVSS 4.0 PR:N rating (8.7, High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial ID-enumeration attack pattern makes exploitation straightforward once the endpoint is reachable.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The unauthenticated data-disclosure path requires only that the /exportCenter/download/{id} endpoint be network-reachable and that a valid export task exists for the guessed/enumerated {id} - no credentials, user interaction, or special configuration, because that route is whitelisted from authentication by default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) describes a network-reachable, low-complexity, no-privilege, no-interaction attack with high confidentiality impact - a genuine priority where the DataEase instance is internet- or intranet-exposed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the DataEase web interface issues GET requests to /exportCenter/download/{id}, incrementing or guessing the task ID; because that endpoint is exempt from authentication, they retrieve other users' exported datasets and reports without any credentials. With a low-privilege authenticated account they can further call /exportCenter/delete, /retry/{id}, or /generateDownloadUri/{id} on tasks they do not own to destroy or re-share other users' exports. … |
| Remediation | Upgrade to the fixed release - Vendor-released patch: v2.10.24 (https://github.com/dataease/dataease/releases/tag/v2.10.24), which adds ownership checks on export-task IDs and removes the download endpoint from the authentication whitelist (commit 57e90bdcc21c3fa2ec57184671603ad88a5b941b; advisory GHSA-9423-78gr-xjj5). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all affected systems; review access logs for exploitation attempts; implement network-layer access controls restricting the endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
Auth bypass in DataEase BI tool before 2.10.10.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42088