CVE-2026-40900
Published: 16 April 2026
Summary
CVE-2026-40900 is a high-severity SQL Injection (CWE-89) vulnerability in Dataease Dataease. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection by requiring validation and sanitization of user-supplied SQL inputs at the /de2api/datasetData/previewSql endpoint to ensure they are single SELECT statements.
Addresses the vulnerability through timely flaw remediation by upgrading DataEase to version 2.10.21, which fixes the subquery wrapping and JDBC multi-query bypass.
Limits damage from successful SQL injection by enforcing least privilege on database accounts tied to datasource credentials, preventing unauthorized read/write operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing DataEase web endpoint (/de2api/datasetData/previewSql) directly enables T1190 exploitation; arbitrary stacked SQL writes (UPDATE etc.) via JDBC bypass facilitate T1565.001 stored data manipulation on the connected database.
NVD Description
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement.…
more
Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.
Deeper analysisAI
CVE-2026-40900 is a SQL injection vulnerability affecting DataEase, an open-source data visualization and analytics platform, in versions 2.10.20 and prior. The flaw resides in the /de2api/datasetData/previewSql endpoint, where user-supplied SQL input is wrapped in a subquery without validation to ensure it is a single SELECT statement. This issue is exacerbated by a JDBC blocklist bypass that enables allowMultiQueries=true, allowing attackers to escape the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. The vulnerability is classified under CWE-89 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with access to valid datasource credentials can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants full read and write access to the underlying database, enabling data exfiltration, modification, or destruction depending on database permissions.
The issue has been addressed in DataEase version 2.10.21, as detailed in the project's GitHub release notes and security advisory GHSA-vqxf-84ph-j3vx. Security practitioners should upgrade to the patched version and review access controls for datasource credentials to mitigate risks.
Details
- CWE(s)