CVE-2026-50530

high

Description

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing an attacker with a valid share link token to replace dataset identifiers and retrieve unauthorized data through POST /de2api/chartData/getData. This issue is fixed in version 2.10.24.

References

https://github.com/dataease/dataease/security/advisories/GHSA-qcf4-345v-6vg9

https://github.com/dataease/dataease/releases/tag/v2.10.24

https://github.com/dataease/dataease/commit/c4e85a981e53c95b1ea73757db31e3025efdc410

Details

Source: Mitre, NVD

Published: 2026-07-07

Updated: 2026-07-07

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

CVSS v4

Base Score: 7.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: High