Skip to content
Verified reproduction

CVE-2026-40899: DataEase: JDBC parameter blocklist bypass via Lombok @Data setter exposure

CVE-2026-40899 is verified against dataease · github affected versions: <= v2.10.20 fixed version: v2.10.21 vulnerability class: Auth Bypass This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00165.

REPRO-2026-00165 dataease · github Auth Bypass Variant found May 25, 2026 CVE entry .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 111m 23s
Tool calls 487
Spend $5.87
Affected <= v2.10.20
Fixed in v2.10.21
$ pruva-verify REPRO-2026-00165
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00165/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

DataEase exposes a "Datasource" feature that lets a logged-in administrator add JDBC connections to MySQL/PostgreSQL/Oracle/etc. To prevent that administrator from setting dangerous JDBC parameters (which can turn a benign "open a database connection" action into file read or deserialization), the server keeps a server-side blocklist of parameter names — at minimum allowLoadLocalInfile, autoDeserialize, allowMultiQueries, and similar.

The blocklist is held on a Java configuration bean. Its class is annotated with Lombok @Data, which auto-generates a public no-arg setter for every non-final field, including the blocklist field itself. Spring's default JSON binding (Jackson) then happily calls that setter when the JSON request body contains a matching key. An admin (the threat model) submitting the "add datasource" form can therefore include a JSON field that overwrites the blocklist with [] in the same request that pushes a custom extraParams value through the JDBC URL.

Once allowLoadLocalInfile=true reaches the JDBC URL, the MySQL JDBC client will honor any LOCAL INFILE response from the server it connects to — including a rogue MySQL listener controlled by the same admin — and read arbitrary files off the DataEase host into the connection-test response.

This is step #2 of the public 4-CVE chain (auth bypass → blocklist bypass → stacked SQLi → Quartz deserialization RCE).

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.