CVE-2026-32939

HIGH

DataEase is Vulnerable to H2 JDBC RCE Bypass

Title source: cna

Description

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq

X_Refsource_Misc x_refsource_misc

https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/dataease/dataease/releases/tag/v2.10.20

Scores

CVSS v4 7.7

EPSS 0.0007

EPSS Percentile 21.4%

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-178

Status published

Products (1)

dataease/dataease < 2.10.20

Published Mar 20, 2026

Tracked Since Mar 20, 2026