#VU126340 Improper access control in DataEase - CVE-2025-49002
Published: April 16, 2026
Vulnerability identifier: #VU126340
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-49002
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
DataEase
DataEase
Software vendor:
DataEase
DataEase
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in the /de2api/datasource/validate endpoint when handling crafted H2 JDBC connection strings. A remote user can send a specially crafted request with a forged token and malicious JDBC URL to execute arbitrary code.
The issue can be exploited by bypassing the case-sensitive prohibition of INIT and RUNSCRIPT, and code execution occurs even when secret verification fails because the application still proceeds to establish the JDBC connection.
Remediation
Install security update from vendor's website.