Cyber Posture

CVE-2026-40901

HighPublic PoC

Published: 16 April 2026

Published
16 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the…

more

qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the deserialization vulnerability fixed in DataEase v2.10.21, directly eliminating the unsafe ObjectInputStream usage in Quartz.

SI-10 Information Input Validation good match
prevent

Validates inputs to prevent SQL injection in features like previewSql, blocking authenticated attackers from writing malicious payloads to the qrtz_job_details table.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict authenticated users' write access to critical Quartz job tables, mitigating the prerequisite for injecting deserialization gadgets.

Security SummaryAI

CVE-2026-40901 is a deserialization vulnerability in DataEase, an open-source data visualization and analytics platform. Versions 2.10.20 and below bundle the legacy velocity-1.7.jar, which includes commons-collections-3.2.1.jar containing the InvokerTransformer gadget chain. The bundled Quartz 2.3.2 scheduler deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream without any deserialization filter or class allowlist, enabling the CWE-502 deserialization of untrusted data. The issue carries a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with write access to the Quartz job table, such as through the previously disclosed SQL injection in the previewSql feature, can replace a scheduled job's JOB_DATA field with a malicious CommonsCollections6 gadget chain payload. When the associated Quartz cron trigger fires, the payload is deserialized, resulting in arbitrary command execution as root inside the container and achieving full remote code execution.

The vulnerability has been addressed in DataEase version 2.10.21, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v2.10.21 or later and review access controls on the Quartz job tables to mitigate risks from chained exploits.

Details

CWE(s)
CWE-502

Affected Products

dataease
dataease
≤ 2.10.21

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Deserialization vulnerability in public-facing DataEase platform enables authenticated remote exploitation for root RCE via gadget chain, facilitating public-facing app exploitation, privilege escalation, and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References