What's the vulnerability?

DataEase uses the Quartz scheduler with the JDBC JobStore backend so its periodic tasks (refresh datasets, send digest emails, run maintenance) survive restarts. Quartz persists each job's JobDataMap in the qrtz_job_details.JOB_DATA column as a Java-serialized blob and calls ObjectInputStream.readObject() on that blob every time the trigger fires.

The DataEase classpath ships a version of commons-collections that contains the well-known transformer-based gadget chain. The only thing standing between an attacker and code execution is the table contents — and the preceding step in the chain (CVE-2026-40900, stacked SQL injection) hands that to them. With write access to a single row of qrtz_job_details, the next scheduler tick deserializes the attacker's payload and runs whatever method chain it encodes in the JVM running the DataEase backend.

This is the terminal step of the 4-CVE chain (auth bypass → blocklist bypass → stacked SQLi → Quartz deserialization RCE). The end result is code execution inside the DataEase container as the DataEase process user (root, in the default container image).

Root Cause Analysis
One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00167
or pruva-verify CVE-2026-40901
Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

1

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00167/artifacts/bundle/repro/reproduction_steps.sh
2

Make executable

chmod +x reproduction_steps.sh
3

Run the script

./reproduction_steps.sh
Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...