CVE-2026-40899: DataEase: JDBC parameter blocklist bypass via Lombok @Data setter exposure
CVE-2026-40899 is verified against dataease · github affected versions: <= v2.10.20 fixed version: v2.10.21 vulnerability class: Auth Bypass This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00165.
pruva-verify REPRO-2026-00165 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00165/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh DataEase exposes a "Datasource" feature that lets a logged-in administrator
add JDBC connections to MySQL/PostgreSQL/Oracle/etc. To prevent that
administrator from setting dangerous JDBC parameters (which can turn a benign
"open a database connection" action into file read or deserialization), the
server keeps a server-side blocklist of parameter names — at minimum
allowLoadLocalInfile, autoDeserialize, allowMultiQueries, and similar.
The blocklist is held on a Java configuration bean. Its class is annotated
with Lombok @Data, which auto-generates a public no-arg setter for
every non-final field, including the blocklist field itself. Spring's
default JSON binding (Jackson) then happily calls that setter when the JSON
request body contains a matching key. An admin (the threat model) submitting
the "add datasource" form can therefore include a JSON field that overwrites
the blocklist with [] in the same request that pushes a custom
extraParams value through the JDBC URL.
Once allowLoadLocalInfile=true reaches the JDBC URL, the MySQL JDBC client
will honor any LOCAL INFILE response from the server it connects to —
including a rogue MySQL listener controlled by the same admin — and read
arbitrary files off the DataEase host into the connection-test response.
This is step #2 of the public 4-CVE chain (auth bypass → blocklist bypass → stacked SQLi → Quartz deserialization RCE).
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.