CVE-2026-32939

HighPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32939 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Dataease Dataease. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Mandates comprehensive input validation mechanisms for JDBC URLs that account for locale inconsistencies, directly preventing smuggling of blacklisted parameters like iNIT past flawed filters.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws such as the locale-handling discrepancy, enabling patching to version 2.10.20 or later to eliminate the vulnerability.

CM-6 Configuration Settings partial match

prevent

Enforces standardized JVM configuration settings, such as explicit Locale.ENGLISH, to align DataEase validation with H2 parsing and mitigate Turkish locale bypasses.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated bypass of JDBC parameter validation in public-facing DataEase app directly enables T1190; smuggling of H2 INIT/RUNSCRIPT parameters facilitates arbitrary SQL/Java execution mapped to T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its…

security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.

Deeper analysisAI

CVE-2026-32939 affects DataEase, an open source data visualization analysis tool, in versions 2.10.19 and prior. The vulnerability stems from inconsistent locale handling in JDBC URL validation logic compared to the H2 JDBC engine's internal parsing. DataEase applies String.toUpperCase() without specifying an explicit locale, relying on the JVM's default runtime locale, while H2 JDBC normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), this causes lowercase 'i' to convert to 'İ' (dotted capital I) in DataEase's security checks, allowing bypass of blacklisted parameters.

Remote attackers with no privileges (AV:N/PR:N) can exploit this under high attack complexity (AC:H), crafting malicious JDBC parameters like "iNIT" that appear as "İNIT" in DataEase's filter (evading the blacklist) but are interpreted by H2 as "INIT". Successful exploitation smuggles dangerous parameters past validation, potentially leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) with CVSS score 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue, tied to CWE-178, has been confirmed exploitable in real DataEase deployments running under affected regional settings.

The vulnerability is fixed in DataEase version 2.10.20. Relevant advisories and patches are detailed in the GitHub security advisory (GHSA-pj7p-3m49-52qq), the release notes for v2.10.20, and the fixing commit (8f1c21834a620d37dafb3fa24605c059d0a5b80d). Security practitioners should upgrade to 2.10.20 or later and verify JVM locale configurations in deployments.

Details

CWE(s): CWE-178

Affected Products

dataease

≤ 2.10.20

CVEs Like This One

CVE-2026-32140Same product: Dataease Dataease

CVE-2024-56511Same product: Dataease Dataease

CVE-2026-33122Same product: Dataease Dataease

CVE-2026-33084Same product: Dataease Dataease

CVE-2025-58748Same product: Dataease Dataease

CVE-2025-58046Same product: Dataease Dataease

CVE-2026-33082Same product: Dataease Dataease

CVE-2024-57707Same product: Dataease Dataease

CVE-2025-58045Same product: Dataease Dataease

CVE-2025-64428Same product: Dataease Dataease

References

https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d
Patch · security-advisories@github.com
https://github.com/dataease/dataease/releases/tag/v2.10.20
Product, Release Notes · security-advisories@github.com
https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq
Exploit, Vendor Advisory · security-advisories@github.com