CVE-2026-33207

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. The issue exists in the '/datasource/getTableField' endpoint, where the getTableFiledSql() function in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. While DatasourceServer.java validates that the table name exists, this check can be bypassed by registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation.

Recommendations Update to version 2.10.21.