CVE-2026-40899

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.21

Description A JDBC parameter blocklist bypass exists in the MySQL datasource configuration. The Mysql class utilizes the Lombok @Data annotation, which automatically generates a public setter for the illegalParameters field containing the JDBC security blocklist. During JSON submission of a datasource configuration, Jackson deserialization invokes setIllegalParameters() with an attacker-supplied empty list, overriding the blocklist before the getJdbc() validation occurs. This enables an authenticated attacker to include dangerous JDBC parameters, such as allowLoadLocalInfile=true. By directing the datasource to a rogue MySQL server, the attacker can exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the server filesystem, including database credentials and sensitive environment variables.

Recommendations Update to version 2.10.21.