CVE-2026-33207
Published: 16 April 2026
Summary
CVE-2026-33207 is a high-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation and sanitization of the user-supplied tableName parameter to prevent SQL injection in the getTableFieldSql method.
Requires prompt remediation of the SQL injection flaw by upgrading to DataEase version 2.10.21 where parameterization is implemented.
Mitigates error-based SQL extraction by suppressing detailed database error messages in responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing DataEase web endpoint (/datasource/getTableField) directly enables T1190 (Exploit Public-Facing Application) for remote authenticated exploitation; arbitrary SQL execution facilitates T1213.006 (Data from Information Repositories: Databases) via error-based extraction and modification of backend database contents.
NVD Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization…
more
or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.
Deeper analysisAI
DataEase, an open-source data visualization and analytics platform, is affected by CVE-2026-33207, a SQL injection vulnerability in versions 2.10.20 and earlier. The issue resides in the /datasource/getTableField endpoint, where the getTableFiledSql method in CalciteProvider.java directly incorporates the user-supplied tableName parameter into SQL query strings via String.format without parameterization or sanitization. While DatasourceServer.java performs validation to ensure the table name exists in the datasource, this check can be bypassed.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By first registering an API datasource containing a malicious deTableName—which is then enumerated by the getTables method and passes validation—the attacker can supply a crafted tableName to inject arbitrary SQL commands. This enables error-based extraction of sensitive database information, with high impacts on confidentiality, integrity, and availability (CVSS 8.8; C:H/I:H/A:H; CWE-89).
The vulnerability has been addressed in DataEase version 2.10.21, as detailed in the project's GitHub release notes and security advisory GHSA-pgh3-rgw3-xjmm. Security practitioners should upgrade to the patched version and review configurations for API datasources to mitigate exposure.
Details
- CWE(s)