CVE-2026-33084
Published: 16 April 2026
Summary
CVE-2026-33084 is a high-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validating user-supplied inputs like the sort parameter to prevent SQL injection by ensuring only valid values are passed to SQL construction.
SI-9 enforces input restrictions such as whitelisting permissible sort values at application boundaries to block arbitrary SQL commands in the ORDER BY clause.
SI-2 requires timely identification, reporting, and correction of flaws like this SQL injection vulnerability, including applying the fix in DataEase v2.10.21.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in internet-accessible web endpoint (AV:N) directly matches exploitation of public-facing applications; arbitrary SQL execution via unsanitized sort parameter enables the initial access vector with no other techniques directly implied by the description.
NVD Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied sort value to the sorting metadata…
more
DTO, which is passed to Order2SQLObj where it is incorporated into the SQL ORDER BY clause without any whitelist validation, and then executed via CalciteProvider. An authenticated attacker can inject arbitrary SQL commands through the sort parameter, enabling time-based blind SQL injection. This issue has been fixed in version 2.10.21.
Deeper analysisAI
CVE-2026-33084 is a SQL injection vulnerability (CWE-89) in DataEase, an open-source data visualization and analytics platform. Versions 2.10.20 and below are affected through the sort parameter in the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly passes user-supplied sort values to the sorting metadata DTO, which feeds into Order2SQLObj. This incorporates the value into the SQL ORDER BY clause without whitelist validation before execution via CalciteProvider, enabling arbitrary SQL command injection.
An authenticated attacker (PR:L) with network access (AV:N) can exploit this with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability supports time-based blind SQL injection by injecting arbitrary SQL commands via the sort parameter, as reflected in its CVSS v3.1 base score of 8.8 (S:U).
The vulnerability has been fixed in DataEase version 2.10.21. Mitigation details are available in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-r897-r9q8-3p2x and the release notes for v2.10.21 at https://github.com/dataease/dataease/releases/tag/v2.10.21.
Details
- CWE(s)