{
  "ticket_id": "CVE-2026-40900",
  "code_root": "external/dataease",
  "source": {
    "type": "cve",
    "cve_id": "CVE-2026-40900",
    "advisory_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40900",
    "writeup_url": "https://www.ox.security/blog/from-auth-bypass-to-rce-a-4-vulnerability-exploit-chain-in-dataease/",
    "vendor": "DataEase / FIT2CLOUD",
    "product": "DataEase",
    "repo": "https://github.com/dataease/dataease"
  },
  "facts": {
    "cve_id": "CVE-2026-40900",
    "issue_summary": "Stacked-query SQL injection in DataEase's previewSql endpoint (/de2api/datasetData/previewSql). The endpoint takes user-supplied SQL and wraps it inside a subquery (e.g. SELECT * FROM ( <USER_SQL> ) AS tmp) WITHOUT validating that the user input is a single SELECT statement. When the underlying MySQL JDBC connection has allowMultiQueries=true, an attacker can craft a payload of the form `SELECT 1 FROM dual) AS x;<arbitrary statement>#` whose trailing MySQL '#' comment swallows the rest of the wrapper, letting the second statement execute against the application database. Practical impact: full read/write access (INSERT/UPDATE/DELETE) on the DataEase application database, including the Quartz scheduler tables that enable RCE per the Ox Security writeup.",
    "vulnerability_type": "SQL Injection (Stacked Queries)",
    "suspected_cwe": ["CWE-89"],
    "affected_versions": "<= v2.10.20",
    "fixed_versions": ["v2.10.21"],
    "reproduce_version": "v2.10.20",
    "verify_fixed_version": "v2.10.21",
    "repo_url": "https://github.com/dataease/dataease.git",
    "checkout_ref": "v2.10.20",
    "code_root": "external/dataease",
    "database_requirement": "MySQL/MariaDB datasource configured with allowMultiQueries=true in the JDBC URL. In the full chain (CVE-2026-23958 auth bypass -> CVE-2026-40899 JDBC blocklist bypass -> CVE-2026-40900 stacked SQLi) the attacker sets allowMultiQueries via the JDBC URL. For a standalone reproduction of CVE-2026-40900 you may configure the MySQL datasource with allowMultiQueries=true manually via the admin UI / API (the bug is in previewSql; the prerequisite is just that the underlying JDBC connection permits multi-statement).",
    "attacker_access": "authenticated (any user with permission to call previewSql against a configured MySQL datasource; admin by default)",
    "primary_entry_point": "POST /de2api/datasetData/previewSql with PreviewSqlDTO body (datasource id + sql)",
    "vulnerable_files": [
      "core/core-backend/src/main/java/io/dataease/dataset/server/DatasetDataServer.java",
      "core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetDataManage.java"
    ],
    "reproduction_requirement": "MUST exploit via a real running DataEase v2.10.20 instance over HTTP. Required proof: send an authenticated POST to /de2api/datasetData/previewSql with a stacked-SQL payload that uses MySQL '#' comment to escape the wrapping subquery, and show that a side-effect-only statement (e.g. INSERT or UPDATE that could NOT be expressed as a SELECT) ran against the application database. Static analysis, harnessed direct calls to DatasetDataManage.previewSql(), or running raw SQL via mysql client are NOT acceptable. Then repeat against v2.10.21 and show the request is rejected / no side-effect executes.",
    "exploit_payload_template": "SELECT 1 FROM dual) AS x; INSERT INTO core_msg_type (id, name, pid) VALUES (999999999, 'pwned-by-cve-2026-40900', 0)#",
    "patch_diff_command": "git diff v2.10.20 v2.10.21 -- core/core-backend/src/main/java/io/dataease/dataset/",
    "environment_notes": "Docker backend. DataEase ships as a Spring Boot app. Recommended setup: docker compose with two services - (a) MySQL 8 with a dedicated database used as both the DataEase application DB AND as a registered 'business' datasource with allowMultiQueries=true; (b) DataEase server built from the v2.10.20 source (./mvnw -pl core/core-backend -am package, or use the official registry.cn-qingdao.aliyuncs.com/dataease/dataease image at the matching tag if available). Default admin credentials are admin / DataEase@123456 (forced reset on first login - automate this).",
    "desired_artifacts": [
      "repro/reproduction_steps.sh",
      "repro/rca_report.md",
      "repro/patch_analysis.md",
      "runtime evidence: HTTP request/response transcript on v2.10.20 plus a before/after SELECT against the target table showing the injected INSERT/UPDATE actually committed; same payload against v2.10.21 producing no side-effect"
    ]
  },
  "simulation": {
    "recipe_id": "default_recipe",
    "inputs": {
      "code_root": "external/dataease",
      "install_command": "git clone --depth 1 --branch v2.10.20 https://github.com/dataease/dataease.git external/dataease",
      "command": "git -C external/dataease log -1 --format=%H v2.10.20"
    }
  }
}