CVE-2026-53729

Summary

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download (/exportCenter/download/{id}), delete (/exportCenter/delete), retry (/exportCenter/retry/{id}), or generate download links (/exportCenter/generateDownloadUri/{id}) for export tasks belonging to other users by manipulating the task ID parameter, and the /exportCenter/download/{id} endpoint is whitelisted from authentication, allowing unauthenticated access to exported files. This issue is fixed in version 2.10.24.

Affected Software

VendorProductVersion RangeStatus
dataeasedataease< 2.10.24affected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

References