{ "variant_id": "CVE-2026-40899-variant-analysis", "created_at": "2026-05-25T14:00:00Z", "variant_summary": "Systematic variant analysis of CVE-2026-40899 blocklist bypass. Eight distinct payloads were tested against the fixed version (v2.10.21), including alternate datasource types (mariadb, oracle, pg), direct jdbcUrl mode, double URL encoding, case variations, parent-field property names, and alternate endpoints (save). None bypassed the fix. The fix (@JsonIgnore on illegalParameters in 9 datasource type classes) was confirmed complete for this vulnerability class via source-code audit and a standalone Java Jackson deserialization test.", "relation": "newer_version_sibling", "origin_kind": "pruva_variant", "repository": "https://github.com/dataease/dataease", "submitted_target": { "target_kind": "docker_image", "version": "v2.10.20", "display": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.20" }, "variant_target": { "target_kind": "docker_image", "version": "v2.10.21", "display": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21" }, "same_root_cause_confidence": "high", "same_surface_confidence": "medium", "claimed_surface": "POST /de2api/datasource/validate (or /save) with Base64-encoded configuration JSON containing illegalParameters override", "validated_surface": "POST /de2api/datasource/validate (or /save) with 8 distinct variant payloads against fixed v2.10.21", "required_entrypoint_kind": "http_api", "required_entrypoint_detail": "POST /de2api/datasource/validate or /de2api/datasource/save with a JSON body containing a Base64-encoded datasource configuration object", "attacker_controlled_input": "Base64-encoded JSON configuration string inside the 'configuration' field of the request body", "trigger_path": "DatasourceServer.validate() -> checkDatasourceStatus() -> ProviderFactory.getProvider() -> CalciteProvider.getConnection() -> JsonUtil.parseObject() -> .getJdbc() -> illegalParameters check", "observed_impact_class": "arbitrary_file_read", "exploitability_confidence": "none_found", "evidence_scope": "source_audit_and_jackson_unit_test", "runtime_manifest_present": false, "end_to_end_target_reached": false, "inferred": false, "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java", "line_start": 15, "line_end": 16, "secondary_anchors": [ { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java", "line_start": 17, "line_end": 18 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java", "line_start": 17, "line_end": 18 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java", "line_start": 17, "line_end": 18 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java", "line_start": 15, "line_end": 16 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/H2.java", "line_start": 16, "line_end": 17 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/CK.java", "line_start": 33, "line_end": 34 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java", "line_start": 20, "line_end": 21 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java", "line_start": 15, "line_end": 16 }, { "file_path": "core/core-backend/src/main/java/io/dataease/datasource/provider/CalciteProvider.java", "line_start": 406, "line_end": 442 } ], "review_scope_paths": [ "core/core-backend/src/main/java/io/dataease/datasource/type/", "core/core-backend/src/main/java/io/dataease/datasource/provider/CalciteProvider.java", "core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java", "sdk/extensions/extensions-datasource/src/main/java/io/dataease/extensions/datasource/vo/DatasourceConfiguration.java", "sdk/extensions/extensions-datasource/src/main/java/io/dataease/extensions/datasource/vo/Configuration.java" ], "artifact_refs": { "variant_manifest": "vuln_variant/variant_manifest.json", "validation_verdict": "vuln_variant/validation_verdict.json", "runtime_manifest": null, "repro_log": "logs/variant_repro_run.log", "root_cause_equivalence": null, "reproducer": ["vuln_variant/reproduction_steps.sh", "vuln_variant/test_variants_fixed.sh"] } }