{
  "ticket_id": "CVE-2026-40901",
  "code_root": "external/dataease",
  "source": {
    "type": "cve",
    "cve_id": "CVE-2026-40901",
    "advisory_url": "https://www.ox.security/blog/from-auth-bypass-to-rce-a-4-vulnerability-exploit-chain-in-dataease/",
    "vendor": "FIT2CLOUD / DataEase",
    "product": "DataEase",
    "repo": "https://github.com/dataease/dataease"
  },
  "facts": {
    "cve_id": "CVE-2026-40901",
    "issue_summary": "DataEase uses the Quartz scheduler with the JDBC JobStore backend for periodic tasks. Quartz persists each job's JobDataMap in the qrtz_job_details.JOB_DATA column as a Java-serialized blob, and the scheduler thread calls ObjectInputStream.readObject on that blob each time a trigger fires. The DataEase classpath ships a vulnerable version of commons-collections, so an attacker with INSERT/UPDATE access to qrtz_job_details (obtained via the stacked-SQLi step CVE-2026-40900) can write a serialized gadget chain into JOB_DATA and trigger arbitrary Java method execution as the DataEase process user the next time Quartz polls that job.",
    "vulnerability_type": "Insecure deserialization of attacker-controlled Quartz JobDataMap (CWE-502)",
    "suspected_cwe": ["CWE-502"],
    "affected_versions": "DataEase community-edition <= v2.10.20",
    "fixed_versions": ["v2.10.21"],
    "reproduce_version": "v2.10.20",
    "verify_fixed_version": "v2.10.21",
    "repo_url": "https://github.com/dataease/dataease.git",
    "vulnerable_ref": "v2.10.20",
    "fixed_ref": "v2.10.21",
    "code_root": "external/dataease",
    "attacker_access": "authenticated admin + ability to write to qrtz_job_details (chains from CVE-2026-23958 + CVE-2026-40900; for standalone reproduction the row can be written with a direct MySQL client using the database credentials already present in docker-compose.yml)",
    "primary_entry_point": "INSERT/UPDATE of the qrtz_job_details.JOB_DATA blob in DataEase's MySQL database; trigger is the Quartz scheduler poll loop firing the next scheduled execution.",
    "validation_target": "Container-local marker: a benign command that writes a file containing 'cve-2026-40901-pwned' plus the current user/hostname into /tmp inside the DataEase container. Evidence is captured by `docker exec dataease cat /tmp/pruva-cve-2026-40901.txt`.",
    "no_network_exfiltration": "Do NOT use a reverse shell or any outbound network beacon. The reproduction must demonstrate code execution using only container-local file write evidence.",
    "evidence_strategy": "Use a public reference like the ysoserial project's CommonsCollections payload generator to produce a serialized blob whose deserialization runs a single, benign 'touch /tmp/pruva-cve-2026-40901.txt && id >> /tmp/pruva-cve-2026-40901.txt' command. UPDATE the qrtz_job_details row, wait for Quartz to fire (at most one minute on the default trigger schedule), then read the marker file via docker exec.",
    "fixed_behavior": "v2.10.21 either (a) upgrades commons-collections / removes the vulnerable gadget classes from the classpath, (b) configures Quartz to use JSON serialization (jobStore.useProperties=true or a custom serializer), or (c) adds a deserialization allow-list on the JobDataMap path. The reproduction must show that the same UPDATE on the patched build does NOT result in the marker file appearing."
  }
}