CVE-2026-32939

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32939
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32939.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32939
Aliases
  • GHSA-pj7p-3m49-52qq
Published
2026-03-20T03:27:46.645Z
Modified
2026-04-12T20:14:08.083588Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N CVSS Calculator
Summary
DataEase is Vulnerable to H2 JDBC RCE Bypass
Details

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.

Database specific 
{
    "cwe_ids": [
        "CWE-178"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32939.json"
}
References

Affected packages

Git / github.com/dataease/dataease

Affected ranges

Type
GIT
Repo
https://github.com/dataease/dataease
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8f1c21834a620d37dafb3fa24605c059d0a5b80d
Type
GIT
Repo
https://github.com/dataease/dataease
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ba0052aff05d85b5ae6e81f687b777b242222dd4

Affected versions

v1.*
v1.0.0
v2.*
v2.10.0
v2.10.1
v2.10.10
v2.10.11
v2.10.12
v2.10.13
v2.10.14
v2.10.15
v2.10.16
v2.10.17
v2.10.18
v2.10.19
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.10.6
v2.10.7
v2.10.8
v2.10.9
v2.2.0
v2.3.0
v2.6.0

Database specific

vanir_signatures_modified 
"2026-04-12T20:14:08Z"
vanir_signatures 
[
    {
        "source": "https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d",
        "target": {
            "file": "core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java"
        },
        "id": "CVE-2026-32939-e7a01877",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "145253778812515277827971481512648571369",
                "56220121591075038882146836470231368475",
                "264588350066301983710057181354862547185",
                "183920010412626920216261108551792835631"
            ],
            "threshold": 0.9
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32939.json"