CVE-2026-33083
Published: 16 April 2026
Summary
CVE-2026-33083 is a high-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied orderDirection parameter to block SQL injection in dataset endpoints like /de2api/datasetData/enumValueDs.
Mandates timely patching of the SQL injection flaw fixed in DataEase version 2.10.21 to eliminate the vulnerability.
Enforces restrictions such as whitelisting orderDirection to safe values like 'ASC' or 'DESC' to prevent arbitrary SQL injection in ORDER BY clauses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in internet-accessible web app endpoints (datasetData/enumValueDs, datasetTree/exportDataset) directly enables adversaries to exploit the public-facing application for data access or DoS impact.
NVD Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value…
more
into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.
Deeper analysisAI
CVE-2026-33083 is a SQL injection vulnerability affecting DataEase, an open-source data visualization and analytics platform, in versions 2.10.20 and prior. The flaw resides in the orderDirection parameter used by dataset-related endpoints, such as /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly incorporates the raw user-supplied orderDirection value into SQL queries without validation or whitelisting, rendering it into the ORDER BY clause via StringTemplate before database execution. This CWE-89 issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the sorting direction field, they can inject arbitrary SQL commands, facilitating time-based blind data extraction from the database or denial-of-service attacks through resource-intensive queries.
The vulnerability has been addressed in DataEase version 2.10.21, as detailed in the project's GitHub release notes and security advisory GHSA-f443-95cf-m837. Security practitioners should upgrade to the patched version and review access controls on dataset endpoints to mitigate exposure.
Details
- CWE(s)