Cyber Resilience

CVE-2026-32140

CriticalPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 48.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32140 is a critical-severity Path Traversal (CWE-22) vulnerability in Dataease Dataease. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32140 affects Dataease, an open source data visualization analysis tool, in versions prior to 2.10.20. The vulnerability arises from the ability to control the IniFile parameter in the Redshift JDBC driver, which forces the driver to load an attacker-controlled configuration file. This file can inject dangerous JDBC properties, enabling remote code execution. The issue stems from the driver's getJdbcIniFile method, which supports explicit specification of configuration files via JDBC URL parameters, allowing arbitrary server files—such as rsjdbc.ini—to be loaded without restrictions.

An attacker with low privileges, such as an authenticated user in Dataease (per CVSS PR:L), can exploit this over the network with low complexity and no user interaction required (CVSS AV:N/AC:L/UI:N). By manipulating the IniFile parameter in a JDBC URL, they can direct the Redshift JDBC driver to load a malicious configuration file, injecting properties that lead to remote code execution on the server (CVSS C:H/I:H/A:H, score 8.8).

The GitHub security advisory for Dataease (GHSA-jc9q-3jfw-mch4) confirms the vulnerability is fixed in version 2.10.20, recommending an upgrade to mitigate the risk. No additional workarounds are specified in the provided details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to…

more

remote code execution. The Redshift JDBC driver execution flow reaches a method named getJdbcIniFile. The getJdbcIniFile method implements an aggressive automatic configuration file discovery mechanism. If not explicitly restricted, it searches for a file named rsjdbc.ini. In a JDBC URL context, users can explicitly specify the configuration file via URL parameters, which allows arbitrary files on the server to be loaded as JDBC configuration files. Within the Redshift JDBC driver properties, the parameter IniFile is explicitly supported and used to load an external configuration file. This vulnerability is fixed in 2.10.20.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows an authenticated low-privilege attacker to exploit a public-facing data visualization tool (Dataease) via network-accessible manipulation of JDBC URL parameters, leading directly to remote code execution, mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-58045Same product: Dataease Dataease
CVE-2026-33084Same product: Dataease Dataease
CVE-2025-58748Same product: Dataease Dataease
CVE-2024-57707Same product: Dataease Dataease
CVE-2026-33122Same product: Dataease Dataease
CVE-2024-56511Same product: Dataease Dataease
CVE-2026-33082Same product: Dataease Dataease
CVE-2025-57772Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2026-33083Same product: Dataease Dataease

Affected Assets

dataease
dataease
≤ 2.10.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates JDBC URL parameters such as IniFile to prevent loading of attacker-controlled configuration files leading to RCE.

prevent

Requires timely patching of Dataease to version 2.10.20 or later to remediate the vulnerable JDBC driver handling.

prevent

Restricts dangerous information inputs like arbitrary IniFile parameters in JDBC URLs to block exploitation paths.

References