CVE-2026-33122
Published: 16 April 2026
Summary
CVE-2026-33122 is a critical-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of user-supplied inputs like deTableName before substitution into SQL statements.
Mandates timely remediation of the specific SQL injection flaw through patching to DataEase version 2.10.21 or later.
Mitigates error-based SQL injection exploitation by restricting detailed error messages that reveal database information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in internet-facing DataEase web API (/de2api/datasource/update) directly enables initial access via exploitation of a public-facing application (T1190); error-based extraction of DB contents is a direct consequence of successful exploitation.
NVD Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field…
more
from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.
Deeper analysisAI
CVE-2026-33122 is a SQL injection vulnerability (CWE-89) affecting DataEase, an open-source data visualization and analytics platform, in versions 2.10.20 and prior. The flaw exists in the API datasource update process at the /de2api/datasource/update endpoint, where the user-supplied deTableName field from the configuration is passed unsanitized to DatasourceSyncManage.createEngineTable. This field is directly substituted into a CREATE TABLE statement template without sanitization or identifier escaping, allowing injection of arbitrary SQL commands. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker can exploit this issue by crafting a malicious deTableName value that breaks out of identifier quoting during a datasource update that adds a new table definition. This enables error-based SQL injection, allowing the attacker to extract sensitive database information. Despite the CVSS score indicating no privileges required (PR:N), the vulnerability description specifies exploitation by an authenticated user.
The issue has been addressed in DataEase version 2.10.21. Security practitioners should upgrade to this patched version immediately. Additional details are available in the official GitHub security advisory (GHSA-28vg-3hv7-w92f) and the release notes for v2.10.21.
Details
- CWE(s)