CVE-2026-40900: DataEase: stacked-query SQL injection via previewSql with allowMultiQueries
CVE-2026-40900 is verified against dataease · github affected versions: <= v2.10.20 fixed version: v2.10.21 vulnerability class: SQLi This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00169.
pruva-verify REPRO-2026-00169 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00169/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh DataEase's "preview SQL" endpoint takes user-supplied SQL meant to represent a dataset's source query and wraps it inside a subquery, roughly:
SELECT * FROM ( <USER_SQL> ) AS pruva_alias LIMIT 100
The server does NOT validate that the user input is a single SELECT
statement. When the underlying MySQL JDBC connection has
allowMultiQueries=true (set on the JDBC URL of the configured datasource), a
crafted payload using MySQL's # comment terminator can escape the wrapping
subquery and execute arbitrary stacked statements. Example payload:
SELECT 1 FROM dual) AS x; INSERT INTO core_msg_type (id, name, pid) VALUES (999999999, 'pwned-by-cve-2026-40900', 0)#
After the server's SELECT * FROM ( ... ) AS pruva_alias LIMIT 100 wrap is
applied this becomes a perfectly valid multi-statement script: the first
statement is a benign SELECT, the second statement is the attacker's
side-effecting query, and the trailing # swallows the remainder of the
wrapper (closing paren, alias, LIMIT). With allowMultiQueries=true MySQL
runs both statements and the INSERT/UPDATE/DELETE commits to the application
database.
In the full chain documented by Ox Security (auth bypass CVE-2026-23958 ->
JDBC blocklist bypass CVE-2026-40899 -> this CVE -> Quartz scheduler RCE) the
attacker uses CVE-2026-40899 to plant allowMultiQueries=true in the JDBC URL
of a datasource. For a standalone reproduction of CVE-2026-40900 we can
shortcut that step by registering the datasource with allowMultiQueries=true
manually (as admin) - the bug under test is the missing single-statement
enforcement in previewSql.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.