Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint exploitable by any authenticated user (PR:L) with no interaction; arbitrary SQL on the engine DB yields high confidentiality and integrity with limited availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any authenticated user to specify datasourceId=-1, access the built-in engine database, execute arbitrary SQL statements, and read sensitive core data. This issue is fixed in version 2.10.24.
AnalysisAI
Broken access control in DataEase before 2.10.24 lets any authenticated low-privilege user reach the /de2api/datasetData/previewSql endpoint, which is missing its mandatory @DePermit authorization check, and pass datasourceId=-1 to hit the built-in engine database and execute arbitrary SQL. This CWE-862 missing-authorization flaw exposes sensitive core application data and carries a CVSS 4.0 base score of 8.7 (High). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated DataEase account of any privilege level (CVSS PR:L) with network access to the application; no administrative role, no user interaction, and no non-default configuration are needed because the missing @DePermit annotation affects the default code path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are broadly consistent and point to a genuine priority for any multi-user DataEase deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who registers or is granted any low-privilege DataEase account sends a crafted authenticated request to /de2api/datasetData/previewSql with datasourceId set to -1 and an arbitrary SQL statement. Because the endpoint no longer enforces @DePermit, the query executes directly against the built-in engine database, letting the attacker read core application data such as user records, credentials, or cached dataset contents. … |
| Remediation | Vendor-released patch: upgrade to DataEase 2.10.24, which restores the mandatory @DePermit permission validation on the datasetData/previewSql endpoint; this is the primary and recommended fix per advisory GHSA-2jmq-vffm-4qmj (https://github.com/dataease/dataease/security/advisories/GHSA-2jmq-vffm-4qmj) and commit 7b47af38b8fa017c9eecb00a4a49264663189e7b (https://github.com/dataease/dataease/commit/7b47af38b8fa017c9eecb00a4a49264663189e7b). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all DataEase instances and document versions below 2.10.24. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
Auth bypass in DataEase BI tool before 2.10.10.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42091