CVE-2026-32140

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0054 67.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to…

remote code execution. The Redshift JDBC driver execution flow reaches a method named getJdbcIniFile. The getJdbcIniFile method implements an aggressive automatic configuration file discovery mechanism. If not explicitly restricted, it searches for a file named rsjdbc.ini. In a JDBC URL context, users can explicitly specify the configuration file via URL parameters, which allows arbitrary files on the server to be loaded as JDBC configuration files. Within the Redshift JDBC driver properties, the parameter IniFile is explicitly supported and used to load an external configuration file. This vulnerability is fixed in 2.10.20.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates JDBC URL parameters such as IniFile to prevent loading of attacker-controlled configuration files leading to RCE.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of Dataease to version 2.10.20 or later to remediate the vulnerable JDBC driver handling.

SI-9 Information Input Restrictions good match

prevent

Restricts dangerous information inputs like arbitrary IniFile parameters in JDBC URLs to block exploitation paths.

Security SummaryAI

CVE-2026-32140 affects Dataease, an open source data visualization analysis tool, in versions prior to 2.10.20. The vulnerability arises from the ability to control the IniFile parameter in the Redshift JDBC driver, which forces the driver to load an attacker-controlled configuration file. This file can inject dangerous JDBC properties, enabling remote code execution. The issue stems from the driver's getJdbcIniFile method, which supports explicit specification of configuration files via JDBC URL parameters, allowing arbitrary server files—such as rsjdbc.ini—to be loaded without restrictions.

An attacker with low privileges, such as an authenticated user in Dataease (per CVSS PR:L), can exploit this over the network with low complexity and no user interaction required (CVSS AV:N/AC:L/UI:N). By manipulating the IniFile parameter in a JDBC URL, they can direct the Redshift JDBC driver to load a malicious configuration file, injecting properties that lead to remote code execution on the server (CVSS C:H/I:H/A:H, score 8.8).

The GitHub security advisory for Dataease (GHSA-jc9q-3jfw-mch4) confirms the vulnerability is fixed in version 2.10.20, recommending an upgrade to mitigate the risk. No additional workarounds are specified in the provided details.

Details

CWE(s): CWE-22

Affected Products

dataease

≤ 2.10.20

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows an authenticated low-privilege attacker to exploit a public-facing data visualization tool (Dataease) via network-accessible manipulation of JDBC URL parameters, leading directly to remote code execution, mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0