External risk intelligence

DataEase Redshift SQL Injection Leads to Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-45534

DataEase is a data visualization and analysis platform typically deployed as a web application. Such applications are commonly exposed to the network to allow users to access dashboards and reports, making the underlying application logic and its datasource connection configurations reachable in standard web-based deployment environments.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the DataEase data visualization tool could allow an attacker to execute arbitrary code when establishing a connection to a Redshift data source. This is possible by manipulating a configuration file that the tool loads during the connection process.

  • Allows code execution via data source connections.
  • Critical for ensuring data integrity and system security.
  • Verify if DataEase Redshift connections are in use.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by gaining limited access to the DataEase application, then crafting a malicious JDBC connection string. This string would trick the Redshift data source configuration into loading a custom `rsjdbc.ini` file from a temporary directory. When the application attempts to establish the connection, it would trigger a chain of reflection-based calls that lead to remote code execution.

  • Requires limited user access.
  • Triggered by a malicious JDBC connection.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow an attacker with limited privileges to execute arbitrary code on the server by manipulating JDBC connection configurations. This occurs when the DataEase Redshift datasource attempts to load a malicious configuration file from the temporary directory during a standard connection.

  • Server-side code execution.
  • Malicious configuration loaded by JDBC.
  • Compromised server and data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The application owner is responsible for addressing this critical vulnerability in the DataEase data visualization tool, as it allows for remote code execution through compromised Redshift datasource configurations. The initial step involves identifying all instances of DataEase, verifying their exposure to the network, and assessing their business criticality. This will inform the prioritization of remediation efforts, which may include vendor coordination and planning for the application of the fix in version 2.10.23.

  • Application owners must address this issue.
  • Verify DataEase instances and exposure.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is DataEase and how is it used?

DataEase is an open-source platform designed for data visualization and analysis. Organizations use it to build dashboards and reports by connecting to various data sources, allowing teams to explore and interpret information from databases. It is typically deployed as a web application within a network, enabling multiple users to access and interact with its reporting features and underlying data connections.

What does CWE-94 mean in the context of CVE-2026-45534?

CWE-94 refers to Improper Control of Generation of Code, often called code injection. In this CVE, the vulnerability allows the DataEase application to be tricked into executing unintended commands. By manipulating a configuration file during a Redshift database connection, an attacker forces the software to process malicious instructions, effectively allowing them to run arbitrary code on the server hosting the application.

How does an attacker trigger this vulnerability?

An attacker needs limited access to the application to influence how a Redshift data source connection is established. By placing a malicious configuration file in the system's temporary directory, they can manipulate the connection process. Importantly, simply having the software installed is not enough; the vulnerability specifically activates during the backend process of initiating a Redshift JDBC connection, which pulls the file from that specific temporary location.

Do I need to worry if my DataEase instance is internal?

According to Halo Surface Signal, DataEase is often deployed as a web application intended for network access to dashboards, which may increase its reachability. While internet-facing instances are generally at higher risk, any user with limited privileges within your environment could potentially trigger this issue. You should assess whether your specific deployment environment allows for the type of configuration manipulation required for exploitation.

What are the first steps to address CVE-2026-45534?

Start by identifying all instances of DataEase running in your environment. Confirm which of these instances are configured to use Redshift data sources, as these are the ones susceptible to this issue. Prioritize these systems for an update to version 2.10.23 or later, where this flaw is fixed. Coordinating with your IT or application team to plan this update is the most effective way to secure your infrastructure against this vulnerability.

References