CVE-2026-32137
Published: 12 March 2026
Summary
CVE-2026-32137 is a high-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-controllable tableName inputs prior to SQL concatenation, preventing SQL injection exploitation.
Ensures timely identification, reporting, and correction of the SQL injection flaw by applying the fix in Dataease version 2.10.20.
Restricts tableName inputs to only permitted values, blocking malicious SQL injection attempts via crafted table names.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-exposed web endpoint directly enables exploitation of public-facing application (T1190) and arbitrary queries against datasources/databases (T1213.006).
NVD Description
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject malicious SQL…
more
statements by constructing malicious table names. This vulnerability is fixed in 2.10.20.
Deeper analysisAI
CVE-2026-32137 is a SQL injection vulnerability affecting Dataease, an open source data visualization analysis tool. In versions prior to 2.10.20, the table parameter in the /de2api/datasource/previewData endpoint is directly concatenated into SQL statements without filtering or parameterization. Since the tableName is a user-controllable string, attackers can inject malicious SQL by crafting specially constructed table names, as classified under CWE-89. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-12.
An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows arbitrary SQL execution, potentially leading to high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) within the affected Dataease instance, such as data exfiltration, modification, or denial of service.
The vulnerability is fixed in Dataease version 2.10.20. Additional details are available in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-vgm2-269h-8624.
Details
- CWE(s)